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Abstract 



In two-party computation, two players want to collaborate in a secure way 
in order to achieve a common goal, but, they do not trust each other and 
do not want the other to learn more than necessary about their inputs. 
Unfortunately, two-party computation is impossible to achieve uncondi- 
tionally securely, i.e., such that even an adversary with infinite computing 
power has no chance in breaking the system. We do have implementa- 
tions in the computational setting, i.e., where we assume that the comput- 
ing power of the adversary is bounded, but the security of these imple- 
mentations are based on unproven assumptions such as the assumption 
that factoring is hard. 

However, if a very simple primitive called oblivious transfer is available, 
then any two party computation can be implemented in an uncondition- 
ally secure way. In this thesis we investigate what weaker forms of obliv- 
ious transfer still allow for implementing oblivious transfer, and hence 
any two-party computation. 

First of all, we will show that oblivious transfer is equivalent to a ran- 
domized form of oblivious transfer, and that this randomized oblivious 
transfer is in fact symmetric. It follows that also oblivious transfer is sym- 
metric. 

Then, we present a protocol that implements oblivious transfer from a 
weakened oblivious transfer called universal oblivious transfer, where one 
of the two players may get additional information. Our reduction is about 
twice as efficient as previous results. 

Weak oblivious transfer is an even weaker form of oblivious transfer, where 
both players may obtain additional information about the other player's 
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input, and where the output can contain errors. We give a new, weaker 
definition of weak oblivious transfer, as well as new reductions with a 
more detailed analysis. 

Finally, we show that any protocol that implements oblivious transfer 
from weak oblivious transfer can be used in the computational setting to 
implement computationally secure oblivious transfer from computational 
weak oblivious transfer, which is a computational version of weak oblivious 
transfer, where the additional information both players may obtain about 
the other player's input is only computationally 'bounded. 
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Zusammenfassung 



Sichere Zweiparteienberechnung erlaubt es zwei Spielern, die einander nicht 
vertrauen, gemeinsam eine Berechnung durchzufiihren, ohne dass der 
jeweils andere Spieler irgendwelche zusatzlichen Informationen iiber ihre 
Eingabe erfahrt. Leider ist es unmoglich eine solche Berechnung so auszu- 
fuhren, dass sie selbst gegen einen berechenmassig unbeschrankten An- 
greif er sicher ist. Unter der Annahme, dass der Angreif er berechenmassig 
beschrankt ist, existieren sichere Protokolle, jedoch basiert die Sicherheit 
dieser Protokolle auf zusatzlichen Annahmen, wie zum Beispiel der An- 
nahme, dass Faktorisieren schwierig ist. 

Wenn jedoch eine Primitive mit dem Namen vergessliche Ubertragung ge- 
geben ist, dann kann jede Zweiparteienberechnung sicher gegen unbe- 
schrankte Angreifer ausgefuhrt werden. In dieser Arbeit untersuchen 
wir, welche schwacheren Formen von vergesslicher Ubertragung uns im- 
mer noch erlauben, eine sichere vergessliche Ubertragung auszufuhren. 

Zuerst zeigen wir, dass vergessliche Ubertragung Equivalent ist zu einer 
randomisierten vergesslichen Ubertragung, und dass diese Primitive sym- 
metrisch ist. Daraus folgt, dass vergessliche Ubertragung ebenfalls sym- 
metrisch ist. 

Universelle vergessliche Ubertragung ist eine schwachere Variante von ver- 
gesslicher Ubertragung, in welcher einer der beiden Spieler zusatzliche 
Informationen erhalten kann. Wir zeigen ein neues, effizienteres Prokoll 
um daraus vergessliche Ubertragung herzustellen. 

Schwache vergessliche Ubertragung ist eine noch schwachere Form von ver- 
gesslicher Ubertragung, in welcher beide Spieler zusatzliche Informa- 
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tion erhalten konnen und die Ubertragung falsch sein kann. Wir geben 
sowohl eine neue, schwachere Definition von schwacher vergesslicher 
Ubertragung, als auch neue Protokolle wie man daraus vergessliche Uber- 
tragung herstellen kann. 

Schliesslich zeigen wir, dass jedes Verfahren, welches vergessliche Uber- 
tragung aus schwacher vergesslicher Ubertragung herstellt, auch einge- 
setzt werden kann, um berechenmassig sichere vergessliche Ubertragung 

aus berechenmassig schwacher vergesslicher Ubertragung herzustellen. 
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Chapter 1 

Introduction 



On January 16, 1797, Johann Wolfgang von Goethe (1749-1832) sent a let- 
ter to the publisher Vieweg with the following content (translated to En- 
glish by IHlSD): 

"I am inclined to offer Mr. Vieweg from Berlin an epic 
poem, Hermann and Dorothea, which will have approxima- 
tely 2000 hexameters. [. . . ] Concerning the royalty we will 
proceed as follows: I will hand over to Mr. Counsel Bottiger a 
sealed note which contains my demand, and I wait for what 
Mr. Vieweg will suggest to offer for my work. If his offer is 
lower than my demand, then I take my note back, unopened, 
and the negotiation is broken. If, however, his offer is higher, 
then I will not ask for more than what is written in the note to 
be opened by Mr. Bottiger." 

The reason for Goethe to choose such a complicated scheme was not to 
maximize his profit — he would not have earned less by just selling it 
to Vieweg — he wanted to gain information on how much Vieweg was 
willing to pay for his work. Indeed, his procedure can be viewed as a sec- 
ond price auction, where Goethe himself was playing the second bidder 
[MT98[. However, other than in a second price auction, Goethe would get 
to know the bid of the highest bidder. To achieve his goal, Goethe needed 
to be able to commit to a value that Vieweg would not get to know before 
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placing his bid, but such that Goethe himself would also not be able to 
change it. He did this by giving an envelope to a third, trusted party, Mr. 
Bottiger. Unfortunately, things turned out other than intended by Goethe. 
Bottiger opened the envelope and gave Vieweg a hint, who then bid ex- 
actly what Goethe had demanded in his envelope. Vieweg was therefore 
able to completely hide the information on how much he was willing to 
pay. 

This is an example of two-party computation, where two players want to 
achieve a common goal, however they do not trust each other and do 
not want the other to learn more than necessary about their inputs. Ob- 
viously, such a computation can easily be achieved with the help of a 
trusted third party. However, as the example above shows, the two play- 
ers would rather not need to trust such a third party. Our goal is therefore 
to achieve a two-party computation without the help of a trusted third party. 

Unfortunately, this task is impossible to achieve unconditionally securely, 
i.e., such that even an adversary with infinite computing power has no 
chance in breaking the system. On the other hand, there exist implemen- 
tations in the computational setting, i.e., they are secure against adver- 
saries which only have limited computing power. However, the security 
of these implementations are based on unproven assumptions such as 
that factoring the product of two large prime numbers is hard. 

Needless to say, we would like to base the security of a two-party compu- 
tation protocol on as few assumptions as possible. Surprisingly, it turned 
out that if a very simple primitive called oblivious transfer is available, then 
any two party computation can be implemented in an unconditionally se- 
cure way. Oblivious transfer is a primitive that allows a sender to send 
two bits to a receiver, who can choose which bits he wants to receive. The 
receiver will remain completely ignorant about the other bit, while the 
sender does not get to know which bit has been chosen by the receiver. 

Even though oblivious transfer is quite simple, it is rather difficult to 
implement. For example, in the computational setting quite strong as- 
sumptions are needed at the moment. On the other hand, it is possible to 
implement oblivious transfer under certain physical assumptions. How- 
ever, such systems generally do not achieve a perfect oblivious transfer, 
but one where one or both players may still be able to cheat in some way, 
and obtain additional information that he should not be allowed. 



1.1. Background 
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The main topic of this thesis is to present different protocols that imple- 
ment oblivious transfer from weaker variants. For example, in weak obliv- 
ious transfer, there can occur three types of errors: first, even if both play- 
ers execute the protocol honestly, the output of the receiver can be wrong 
with some probability. Secondly, a dishonest receiver may not remain 
completely ignorant about the second input bit. And finally, a dishonest 
sender may gain partial information about the receivers choice bit. We 
show that if these three errors are not too large, it is possible to imple- 
ment an almost perfect oblivious transfer. 



1.1 Background 

Two- and multi-party computation. The concept of two- and multi-party 
computation was introduced by Yao [Yao82). A complete solution of this 
problem with respect to computational security was given by Goldreich, 
Micali, and Wigderson [ GMW87 [, and later but independently, by Chaum, 
Damgard, and van de Graaf IICDvdG 88l. Later Ben-Or, Goldwasser, and 
Wigderson [BGW88] and, independently, Chaum, Crepeau, and Dam- 
gard [CCD88| showed that in a model with only pairwise secure chan- 
nels, multi-party computation among n players unconditionally secure 
against an active adversary is achievable if and only if t < n/3 players are 
corrupted. Beaver [Bea89[ and independently Rabin and Ben-Or [RB89] 
showed that this bound can be improved to t < n/2, assuming that global 
broadcast channels are available. 



Security definitions. Intuitively, it seems to be very clear what we mean 
when we say that a two-party protocol should be secure: it should be 
correct, i.e., it should implement the desired functionality, and it should be 
private, meaning that it should not leak additional information to any of 
the players. Unfortunately, these intuitive ad-hoc requirements are hard 
to formalize and often even insufficient. 

Inspired by the work of Goldwasser, Micali, and Rackoff [GMR85| on 
zero-knowledge proofs of knowledge, Goldreich, Micali and Wigderson 
|GMW87| were the first to use the simulation paradigm to define the secu- 
rity of multi-party computation protocols. Micali and Rogaway |MR92] 
and Beaver |Bea92] further formalized this approach. The idea behind 
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these definitions is very intuitive and goes as follows. We say that a (real) 
protocol securely computes a certain functionality if for any adversary 
attacking the protocol, there exists a (not much stronger) adversary in 
an ideal setting — where the players only have black-box access to the 
functionality they try to implement — that achieves the same. In other 
words, a protocol is secure if any attack in the real model can be sim- 
ulated in the much more restrictive ideal model. As shown by Beaver 
[Bea92], and formally proved by Canetti |Can96, CanOO], these security 
definitions imply that secure protocols are sequentially composable: if in a 
secure protocol that uses an ideal functionality, that ideal functionality 
is replaced by a secure protocol, then the composed protocol is again a 
secure protocol. Later, Backes, Pfitzmann and Waidner [PWOTj IBPW03I 
and independently Canetti [Can01[ introduced a stronger security defini- 
tion called universal composability, which guarantees that protocols can be 
composed in an arbitrary way. 



Oblivious transfer. For the special case of two-party computation, there 
cannot exist a protocol that is unconditionally secure against one cor- 
rupted player. However, if a primitive called oblivious transfer (OT) is 
available, then any two-party computation can be executed uncondition- 
ally secure, which was shown by Goldreich and Vainish [GV88J for pas- 
sive adversaries, and by Kilian [Kil88J for active adversaries. These re- 
sults were later improved by Crepeau |Cre90J, Goldwasser and Levin 
IGL91I , and Crepeau, van de Graaf, and Tapp ICvdGT95l . The idea of 
oblivious transfer goes back to Wiesner |Wie83| in around 1970. He tried 
to show that quantum physics allows us to achieve certain (classical) tasks 
that otherwise would not be possible. Since a quantum state can con- 
tain more information than what we can get out by measuring it, he pro- 
posed to use quantum communication as "a means for transmitting two 
messages either but not both of which may be received." , which is exactly what 
OT achieves. More formally, OT is a primitive that receives two bits xo 
and x\ from the sender and a bit c from the receiver, and sends x c to the 
receiver, while the receiver does not get to know xi_ c , and the sender 
does not get to know c. Wiesner proposed a simple protocol that achieves 
this, but he pointed out that it could be broken in principle. Rabin [ Rab81 1 
introduced a similar primitive in 1981, and showed its usefulness to cryp- 
tographic applications. (He also gave oblivious transfer its name.) Even, 
Goldreich and Lempel [ EGL85J reintroduced Wiesner 's version OT. 



1.1. Background 



5 



Computationally secure oblivious transfer. There exist different ap- 
proaches to securely implement OT, with different degrees of security. 
If we are only interested in computational security, i.e., a system that can- 
not be broken by any adversary limited to polynomial computing time, 
then OT can be implemented using noiseless communication only, given 
some assumptions are correct. Of course, we would like to make these 
assumptions as weak as possible, for example, we would like to have an 
implementation of OT that is secure under the assumption that one-way 
functions — functions that are easy to evaluate, but hard to invert — exist. 
Unfortunately, such an implementation is still not known. Even worse, 
Impagliazzo and Rudich [IR89J showed that such an implementation, if 
it exists, will be very hard to find, because there cannot exist any black-box 
reduction of OT to one-way functions. 

Even, Goldreich and Lempel [EGL85] presented an implementation of 
OT using trapdoor permutations. However, Goldreich |Gol04] showed 
that in fact the stronger assumption of an enhanced trapdoor permutations is 
needed for the protocol to be secure. This assumption was later weakened 
by Haitner [Hai04J to dense trapdoor permutations. Other implementations 
use more specific assumptions such as the assumption that factoring a 
product of two primes is hard, as shown by Rabin |Rab81 J, or the Diffie- 
Hellman assumption, shown by Bellare and Micali, Naor and Pinkas, and 
Aiello, Ishai and Reingold IBM901 iNPOll IAIR01I . Unfortunately, these 
latter assumptions have turned out to be wrong in the quantum world, as 
there exists an efficient algorithm for breaking both assumptions, shown 
by Shor |Sho94|. 

In the universally composable framework, Canetti and Fischlin [CF01II 
showed that there cannot exist an implementation of OT secure against 
active adversaries^. On the other hand, Canetti, Lindell, Ostrovsky, and 
Sahai [CLOS02] showed that the protocol presented in [GMW87] is secure 
against passive adversaries in the universally composable framework. 
Garay, MacKenzie and Yang [GMY04] proposed an implementation of 
enhanced committed OT secure against active adversaries under the addi- 
tional assumption of a common reference string. Fischlin [Fis06J proposed 
a protocol that does not assume a common reference string, but needs the 
help of other players. 



1 They showed that bit-commitment is impossible, but since bit-commitment can be im- 
plemented from OT, this implies that also OT is impossible. 
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Unconditionally secure oblivious transfer. All known computational 
implementations of OT — besides the assumption that the adversary is 
computationally bounded — are based on quite strong, unproven as- 
sumptions about the complexity of certain problems. Unconditional secu- 
rity does not have these shortcomings. It offers a security that cannot be 
broken in principle, no matter what computing power the adversary has, 
and is generally not based on unproven assumptions. Unfortunately, un- 
conditional secure OT is impossible to achieve if the players only have 
access to noiseless communication. In fact, even noiseless quantum com- 
munication does not help, as has been shown by Mayers |May97], and 
independently by Lo and Chau [LC97J1. Therefore, some additional re- 
sources must be available in order to achieve unconditionally secure OT. 



Reductions between different variants of OT. There exist many differ- 
ent variants of OT, and all of them have been shown to be equivalent to 
OT. Crepeau | Cre88 1 showed that OT can be implemented from Rabin's 
OT, and Brassard, Crepeau and Robert |BCR86| showed, among others, 
that string OT (where the sender can send strings instead of single bits) 
can be implemented from bit OT. More efficient methods to implement 
string OT from bit OT were presented by Brassard, Crepeau and Santha 
IBCS96I , by Br assard , Crepeau and Wolf IBC97IIBCW031I, and by Crepeau 
and Savvides [CS06J. Imai, Morozov, and Nascimento [IMN06] showed 
a direct implementation of string OT from Rabin's OT. Dodis and Micali 
[DM99] presented a protocol to extend the number of choices for the re- 
ceiver. Another interesting property of OT was shown by Bennett, Bras- 
sard, Crepeau and Skubiszewska [BBCS92J and Beaver lBea95J, namely 
that OT can be precomputed. This means that OT can be converted into 
a randomized version of OT, that can later be converted back into OT. 
Crepeau and Santha [CS91], and independently Ostrovsky, Venkatesan 
and Yung [OVY93| presented protocols which implement OT in one di- 
rection from OT in the other direction. Wolf and Wullschleger [WW06| 
presented a much simpler and more efficient protocol for this. 

Various weak versions of OT have been proposed where either the sen- 
der's or the receiver's security is weakened. Crepeau and Kilian [CK88] 
presented an implementation of OT from a-1-2 slightly OT, which is a 
weak version of OT where the sender may get some information about 



2 They showed that bit-commitment is impossible, but since bit-commitment can be im- 
plemented from OT, this implies that also OT is impossible. 
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the choice bit of the receiver. Brassard, Crepeau and Wolf OBC97[[BCW03ll 
showed that OT can also be implemented from XOT, GOT or UOT with 
repetitions, which are weak versions of OT where the receiver may get 
information he is not supposed to. Cachin [Cac98[ proposed a primi- 
tive called Universal OT (without repetitions), which is a generalization 
of XOT, GOT or UOT with repetitions. He proposed a protocol to imple- 
ment OT, but his proof turned out to be incorrect. The protocol was finally 
shown to be secure by Damgard, Fehr, Salvail and Schaffner |DFSS06|. 
The bound for the protocol were later improved by Wullschleger |Wul07J. 
Damgard, Kilian and Salvail | DKS99J presented an even weaker form of 
OT called weak OT (WOT), where the security for both players is weak- 
ened and the output to the receiver may be faulty. They presented some 
bounds for which OT can be implemented from WOT. Later Wullschleger 
[ Wul07[ showed that their definition of WOT implicitly uses quite strong 
assumptions, and proposed a new, weaker definition together with new 
reductions. 



OT from physical assumptions. Crepeau and Kilian [CK88] were the 
first to present protocols for OT using noise as additional resource in form 
of an erasure channel. Crepeau [Cre97| presented a protocol for the binary- 
symmetric noisy channel, which was later generalized by Korjik and Mo- 
rozov [KM01J. Crepeau, Morozov and Wolf [CMW04] finally presented 
a protocol for any non-trivial channel. As shown by Imai, Miiller-Quade, 
Nascimento and Winter, [IMQNW04| , Wolf and Wullschleger IWW04I . 
and Nascimento and Winter [NW06J, these results also translate to the 
model where the players receive distributed randomness^. 

Damgard, Kilian and Salvail [DKS99J introduced a more realistic, unfair 
model in which the adversary is given more information than the honest 
players. For example, if a noisy channel is implemented using a trans- 
mitter and an antenna, an adversary may be able to replace the official 
antenna by a larger one, and may, therefore, receive the transmitted sig- 
nal with less noise than an honest receiver would. They presented explicit 
bounds for the unfair binary noisy channel, which were later improved by 
Damgard, Fehr, Morozov and Salvail [DFMS04, Mor05J. A central part of 
these results was the algorithm that implements OT from WOT. However, 
for the reduction to work, the definition of [Wul07| must be used. 

3 A similar model has already been studied in the context of key agreement by Ahlswede 
and Csiszar IAC93I and Maurer iMa u93l . 
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1.2 Outline of the Thesis 

Preliminaries. In Chapter |2j we introduce the three distance measures 
that we will be using in this thesis. We will present some of the proper- 
ties they have and how they are related. The distinguishing advantage and 
the statistical distance are standard measures for the distance between two 
distributions. On the other hand, the maximal bit-prediction advantage is a 
special measure that we will use in Chapters [6] and [71 

Definition of secure two-party computation. In Chapter [3j we give a 
simplified, formal framework for two-party computation that is univer- 
sally composable. We will define two different models: the malicious 
model, where the corrupted players may behave arbitrarily, and the semi- 
honest model, where the corrupted players follow the protocol, but may 
try to obtain as much information as they can during the protocol. We will 
also show that these definitions allow protocols to be composed. Finally, 
we show that security in the malicious model does not imply security 
in the semi-honest model, and give a weaker security definition for the 
semi-honest model for which this implication holds. 

Oblivious transfer. In Chapter 01 we will introduce the main topic of 
this thesis: oblivious transfer (OT). We will also define a randomized ver- 
sion of OT, called randomized OT (ROT), and show that OT and ROT are 
equivalent if communication is free. We will then give a very simple pro- 
tocol which shows that ROT is symmetric. In connection with the other 
protocols, this gives us a simple way to reverse the direction of OT. Fi- 
nally, we will present information-theoretic conditions that imply that a pro- 
tocol securely implements ROT. 

Contribution. Our reduction that reverses ROT and hence also OT is joint 
work with Stefan Wolf [WW06], and is much simpler and more efficient 
than previous reductions presented in [CS91, OVY93J. The information- 
theoretic conditions for the security of ROT presented here build on prior 
joint work with Claude Crepeau, George Savvides and Christian Schaff- 
ner |CSSW06|. There, we presented information- theoretic conditions that 
imply that a protocol securely implements secure function evaluation in 
a sequentially composable model. These conditions replace many ad- 
hoc definitions for the security of protocols which often have been faulty. 



1.2. Outline of the Thesis 
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Here, we only present conditions for ROT, however we show a stronger 
statement about ROT, as our conditions imply that a protocol is universally 
composable, and not only sequentially. Also, our conditions have explicit 
error terms, which makes them easier to use. 

Universal oblivious transfer. In Chapter [5j we will present a protocol 
that implements ROT from a weak variant of ROT called universal OT 
(UOT). In contrast to ROT, UOT allows a corrupted receiver to receive 
any information he wants about the input, as long as he does not receive 
too much information. For example, he could be allowed to receive a bit 
string of a certain size that is an arbitrary function of his choice of the 
sender's inputs. 

Contribution. Our proof, which is also presented in [Wul07J, shows that 
in the reduction of OT to UOT, the string length of the resulting OT can 
be about twice as long as for the bound presented in [DFSS06I . which 
is optimal for that protocol. (The same bound that we present here has 
already been claimed in [Cac98J, but the proof presented there was incor- 
rect, which was discovered by [DFSS06J.) Our proof makes use of a novel 
distributed leftover hash lemma, which is a generalization of the well-known 
leftover hash lemma [BBR88, ILL89|, and of independent interest. 

Weak oblivious transfer. In Chapter[6l we introduce weak oblivious trans- 
fer (WOT), a weak variant of ROT where the security for both players is 
weak, and where the output may be incorrect. We give formal definitions 
of WOT in both the semi-honest and the malicious model. We show that 
for certain parameters (when the instances of WOT are too weak), it is 
impossible to implement ROT from WOT. Then we present several pro- 
tocols that implement ROT from WOT, and give upper bounds on how 
many instances of WOT are needed. Unfortunately, these reductions do 
not meet the impossibility bound. 

Contribution. We give several improvements over the results presented in 
[DKS99J, most of which are also presented in [Wul07J. First of all, we give 
new, weaker definitions of WOT that replaces the definition presented in 
[ DKS99 , DFMS04J, which was too strong and had only a very limited 
range of applications. Also, our definitions make the need for the more 
general notion of generalized weak oblivious transfer of [DFMS04J unneces- 
sary. For the special case where the WOT does not make any error, we 
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present a more detailed proof and a better upper bound on the amount of 
instances used than in [DKS99]. Then, using a different error-reduction 
protocol that also works with our weaker definitions, we give bounds 
for the special case where information is leaked only to one of the two 
players, as well as several new bounds for the general case. 

Computational weak oblivious transfer. In Chapter [7] we transfer the 
results from Chapter [6] to the computational setting. We define computa- 
tional weak oblivious transfer (compWOT), which is a computational ver- 
sion of WOT, where the adversary may get some additional computational 
knowledge about the value he is not supposed to. Using Holenstein's 
hard-core lemma [Hol05. H0IO6J, we show that any protocol that is se- 
cure in the information-theoretic setting can also be used in the computa- 
tional setting. Hence, the reductions presented in Chapter [6] can be used 
to amplify compWOT to a computationally secure OT. 

Contribution. We give a simplified but slightly stronger version of the 
pseudo-randomness extraction theorem from [H0IO6 J, and fix the proof given 
in [Hol06|, where a step was missing. Then, we show that computation- 
ally secure OT can be implemented from a large set of compWOT. This 
improves the results presented in [Hai04J, where only one special case 
was solved. 



Chapter 2 

Preliminaries 



2.1 Notation 

We will use the following convention: lower case letters will denote fixed 
values and upper case letters will denote random variables and algo- 
rithms. Calligraphic letters will denote sets and domains of random vari- 
ables. For a random variable X over X, we denote its distribution by P x ■ 
X — > [0, 1] with J^xex Px(x) = 1- For a given distribution P X y ■ X x y — > 
[0, 1], we write for the marginal distribution P x (x) := ^2 ye y Pxy(x, y) 
and, if P Y (y) ± 0, P x \y{x \ y) ■= P X Y(x,y)/P Y (y) for the conditional 
distribution. By x n we denote the list (x , . . . , x n -\). 

We use the function exp(s) := e x . ln(x) denotes the natural logarithm, 
and log(x) denotes the logarithm to the base 2. 



2.2 Distances between Distributions 

In this section, we will introduce two measures for the distance between 
two distributions: the distinguishing advantage and the statistical distance. 

Definition 2.1. The distinguishing advantage of an algorithm A : U —> 
{0, 1} (called the distinguisher) to distinguish X from Y, which are ran- 
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dom variables over the domain U, is 

Adv A {X,Y) := |Pr[ApT) = l]-Pr[A(Y) = l]| . 

The distinguishing advantage of a class T> of distinguishers in distin- 
guishing X from Y is 

Adv v (X,Y) := maxAdv A (X,Y) . 

We have Adv v (X, X) = and Adv D (X, Y) = Adv p (y, X) for all X and 
Y. It is also easy to see that probabilistic distinguishers do not perform 
better than deterministic ones: let Ar be a probabilistic distinguisher that 
takes additionally some randomness R as input. We have 

Adv AR (X,Y) := £)Pfl(r) • | Pr[A r (A) = 1] - Pr[A r (F) = 1]| . 

r 

Now let r € 7vL be the value that maximizes the expression 

|Pr[A r (X) = l]-Pr[A r (y) = l]| . 
Then A r is a deterministic distinguisher with 

Adv Ar (X,Y) > Adv An (X,Y) . 

In the following, we will therefore only consider deterministic distin- 
guishers. Lemma 12.11 shows that the triangle inequality holds for the dis- 
tinguishing advantage. 

Lemma 2.1 (Triangle inequality). For any X, Y, and Z over U, we have 
Adv^A, Z) < Adv A (X, Y) + Adv A {Y : Z) . 

Proof. We have 

Adv A (A, Z) = | Px[A{X) = 1] - Pr[A(Z) = 1]| 
= | Pr[A(X) = 1] - Pr[A(F) = 1] 

+ Pr[A(Y) = 1] - Pr[A(Z) = 1] | 
< | Pr[A(X) = 1] - Pr[A(Y) = 1]| 

+ | Pr[A(F) = 1] - Pr[A(Z) = 1]| 
= Adv A {X, Y) + Adv A (Y, Z) . 

□ 
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It is easy to see that the same also holds for classes of distinguishers, i.e., 
for any V, we have Adv c (X, Z) < Adv v (X, Y) + Adv v (Y, Z). 

Definition 2.2. The statistical distance of two random variables X and Y 
(or two distributions Px and Py) over the same domain U is defined as 

A(X,Y) = A(P X ,P Y ) -=\Y, \ P *( U ) - p y( u 

uEU 



We say that P x is e-close to P Yl denoted by P x = E Py, if A(P X . P Y ) < e. 
We say that a random variable X is e-close to uniform with respect to Y, if 
Pxy =e PxjPy i where Pjj is the uniform distribution over X. 

Lemma 2.2. For all X and Y , we have 

A(X, Y) = Pi[X G T] - Pr[Y eT] = Y^ ( p x(u) - Py(i 

ueT 

for T :={ueU\ P x {u) > Py(u)} . 
Proof. We have 

A(X,Y) = \ (Px(u) - P Y {u)) +\Y, (Py{u) - Px(u) 

ueT u<?T 

_ Pr[X G T] Pr[Y £ T] Pr[X g T] Pr[Y € T] 
~~ 2 + 2 2 2 

= Pr[X 6 7]- Pr[Y G T] . 

Lemma 2.3. For a/Z X and Y, we have 



□ 



A(X, Y) = max ( Pr[X G S] - Pr[Y G 5] 



Proof. Follows directly from Lemma IZ2l since 

Pr[X G <S] — Pr[F G S] 
is maximal for S = T. □ 
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From Lemma [23] follows now that 

Adv v (X,Y) = A(X,Y) , 
where V is the class of all (also inefficient) distinguishers. 
Lemma 2.4. For any X and Y over U and f : U — > V, we have 
A(f(X)J(Y))<A(X,Y). 

Proof. Let T> be the class of all (also inefficient) distinguishers, and let 
D(v) be a distinguisher such that 

Adv D (f(X),f(Y)) = Adv v (f(X)J(Y)) . 

Then, for D'(u) := D(f(u)), we have 

Adv D '(X,Y) =Adv v (f(X)J(Y)) . 

Since D' e V, we have 

A(/(X), f(Y)) = Adv v (f(X), f(Y)) = Adv D ' (X, Y) 
< Adv v {X,Y) = A(X,Y) . 

□ 

Lemma 2.5. Let Pbx and Pcy be distributions over {0, 1} xU such that 
Pr[B = 1] = Pr[C = 1] = e . 

Then 

A(P Xl P Y )<£ + A(P xlB=0 ,P Ylc=0 ) . 

Proof. For any set S CM, we have 

Pr[X 6 5]- Pr[Y e 5] 

= e • (Pt[X eS\B = l}- Pr[Y £ S \ C = 1]) 

+ (1 - e) • ( Pr[X eS\B = 0]- Pr[Y € S \ C = 0]) 

< s+ (Pr[X eS\B = 0]-Pr[Y e S \ C = 0]) 

< e + max (Pr[X € 5' | B = 0] - Pr[y € S' | C = 0]) 

= e + A(P X | B=0 ,^Y|c=o) , 
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and therefore 

A(A, Y) = max (pt[X G S] - Pr[Y G S}) < e + A(P xlB=0 , P Y \c=o) ■ 

□ 



2.3 Prediction of Random Variables 



For the case where X G {0, 1}, we will also use another measure of its 
closeness to uniform with respect to a random variable Y, the maximal bit- 
prediction advantage, which measures how well X can be predicted from 
Y. See also Section 2.1 in IHol06ll . 

Definition 2.3. Let Pxy be a distribution over {0, 1} x y. The maximal 
bit-prediction advantage of X from Y is 

PredAdv(A | Y) := 2 ■ maxPr[/(Y) = X] - 1 . 



In other words, if PredAdv(A | Y) = 5, then we have for all functions 

/:^->{0,l} 

Pr[/(Y)=X]<iii. 

First, we show that PredAdv(A | Y) < 2e, if and only if X is e-close to 
uniform with respect to Y. 

Lemma 2.6. Let Pxy be a distribution over {0, 1} x y. Then 

PredAdv(A | Y) = 2 • A(P xy , P^Fy) , 
ro/zere py z's f/?e uniform distribution over {0, 1}. 

Proof. Obviously, the best function / : y — » {0, 1} for guessing A is 

ifPxy(0,y)>Pxy(l,y), 



^ ' 11 otherwise. 
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We have 

2Pr[/(F) = X] - 1 = 2^iV(l/)Px|r=v(/(»)) - E P ^) 

y y 

= J2 My) (Px\Y= y (f(y)) - (1 - ^|v= y (/(z/)))) 
= £ iV(y) (^|y=,(/(y)) - Px|y=,(i - f(y))) 

y 

= J2 p Y (V) | Px | y =„ (0) - Px | Y =y ( 1 ) I 



]Tp y (y)]T|p x|y=?/ (x)-i 

j/ a: 

2- A(P X y,iViV) • 



□ 



Lemma [2 . 71 follows immediately from Lemmas 12.41 and !2. 61 

Lemma 2.7. Let Pxy be a distribution over {0, 1} x y, and let f : y — > y. 

PredAdv(A | /(F)) < PredAdv(X | Y) . 

The following lemma shows that for any distribution Pxy over {0, 1} x y, 
we can define an event that has probability 1 — PredAdv(A | Y), such 
that conditioned on that event, X is uniformly distributed given Y, and 
therefore no function f(Y) can predict X. 

Lemma 2.8. Let Pxy be any distribution over {0, 1} x y. There exists a con- 
ditional distribution Pb\xy over {0, 1} x {0, 1} x y such that 

Pr[B = 1] < PredAdvpf | Y) 

and such that for all functions f : y — > {0, 1}, 

Pr[/(F) = X | B = 0] = 1/2 . 

Proof. We define 

mm(Px Y (0,y),PxY(l,y)) 



Pb\x,y(0 I x,y) 



XY 



2.3. Prediction of Random Variables 



17 



Using Lemma |221 we get 

Pv[B = l}=Y,PxY(x,y)P Blx , Y (l \x,y) 

= Y: Pxy(x, y) (l - ^(Pxy^y),Pxy(i,y)) 



X ,y • Pxy(x, V ) 

= Y,( p XY(x,y)-mm(P XY (O iy ),P XY (l,y))) 

= ^2\P XY (0,y)-P X Y(l,y)\ 

y 

= Y. p y(y)Y.\ p x\y=y^)-\ 

y x 

= 2 ■ A(P XY , PuPy) = PredAdv(X | Y) . 
For x £ {0, 1}, we have 

i ln , Px\Y(x\y)-P B \xY(0\x,y) 

Pxm(x 1 = p^yWV) 

= Px\y(x I y)-min(P XY (0,y),PxY(l,y)) 
PB\Y(0\y)-P Y (y)-P X \Y(x\y) 

= min(P XY (0,y),P XY (l,y)) 

P BY (0,y) 

Since P x \by(x | 0, y) does not depend on x, it must be equal to 1/2, and, 
therefore, we have, for all functions / and for all values y, 

Pr[f(Y)=X\B = 0,Y = y] = l/2. 

□ 



Lemma lZ9l shows that the statement of Lemma lZHl also works in the other 
direction. If there exists an event with probability 1 — 6 under which X 
cannot be guessed from y with any advantage, then PredAdv(X | Y) < 5. 

Lemma 2.9. Let P XY be any distribution over {0, 1} x y. If there exists a con- 
ditional distribution Pb\ XY over {0, 1} x {0, 1} x y such that for all functions 
f : y — > {0, 1} we have 



Pr[/(F) = X | B = 0] = 1/2 , 
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then 

PrcdAdv(A | Y) < Pr[B = 1] . 

Proof. For any function /, we have 

Pr[/(Y) = X] = Pv[B = 0] • Pr[/(Y) = X \ B = 0] 

+ Pt[B = 1] • Pr[/(Y) = X | B = 1] 

< 1/2 -Pr[5 = 0] +Pr[B = 1] , 

and, therefore, 

PredAdv(A | Y) = 2 • maxPr[/(Y) = X] - 1 

< Pr[£ = 0] + 2 • Pr[B = 1] - 1 = Pr[B = 1] . 



□ 



The following lemmas show some rules for PredAdv(A | Y). 

Lemma 2.10. Let Px y , ■ ■ ■ , fx„_iy„_i be distributions over {0, 1} x y^. 
Then 

n-l 

PredAdv(X • • • | Y n ) < J| PredAdv(A l | Kj) . 



Proof. For i £ {0, . . . , n — 1}, let -B^ be the random variable defined by 
Lemma |Z81 Let B = min^B,). If B = then for a j e {0, . . . , n - 1} we 
have Bj = 0. Therefore, Xj is uniformly at random given Yj, and any 
/ : y n -> {0, 1} will output X ® • • • 8 with probability 1/2. The 

statement now follows from Lemma IZ9l and from the fact that 



Pr[B = 1] = [] Pr [ B > = !] 



i=0 

□ 



Lemma 2.11. Let Px y > ■ ■ ■ ■, Px n ^ 1 Y n ^ 1 be distributions over {0, 1} x y ir and 

let Di := Xi®X n - V Then 

n-l 

PredAdv(A„_! | y"^"" 1 ) < 1 JJ (1 PredAdv^ | F,)) . 
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Proof. For i e {0, . . . , n — 1}, let Si be the random variable defined by 
Lemma [2751 and let B = maxi(Bi). If B — then for all < i < n we have 
Bi = 0, and therefore X{ will be uniformly at random given Y . It follows 
that X n _i is independent from (Y'\ D"- 1 ) and any / : y n x V -> {0, 1} 
will output X n _i with probability 1/2. The statement now follows from 
Lemma IZ9l and from the fact that 

n— l 

Pr[fl=l] = l- JJ(l-Pr[Bi = l]). 

□ 

Lemma 2.12. For a// X, Y e {0, 1} and Z e Z,we have 

PredAdv(X Y | YZ) = PredAdv(X | YZ) . 

Proof. If a function f(y,z) can predict X with advantage a, then the func- 
tion f'(y, z) := f(y, z) © y can predict X © Y with advantage a, and if 
g(y, z) can predict X © Y with advantage a, then the function g'(y, z) :— 
g(y, z) (By can predict X with advantage a. □ 



Chapter 3 



Secure Two-Party 
Computation 



In this chapter we give an introduction to a simplified version of uni- 
versally composable two-party computation. We define security in the mali- 
cious and the semi-honest models, and show that these definitions allow 
protocols to be composed. Finally, we show that security in the mali- 
cious model does not imply security in the semi-honest model, and give 
a weaker security definition for the semi-honest model for which this im- 
plication holds. 



3.1 Two-Party Computation 

We start with some basic definitions. Our definitions are based on the 
formalism by Maurer [Mau06J, as well as the formalisms of Backes, Pfitz- 
mann and Waidner IPW01IIBTW03I and Canetti ICanOll , but simplified 
and adapted for our needs. Since we will only consider two players in- 
teracting with each other, we can simplify the notation. For example, we 
will not use any identification tags. 

We will model everything in terms of systems which may interact with 
other systems or the environment via interfaces. We say that system F 
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implements a set 1 of interfaces. There are two players present, which we 
will call A and B. The set of interfaces J can be divided into two sets: 
the set Z A of the interfaces belonging to player A, and the set X B of the 
interfaces belonging to player B. 



2a 



A system has an internal, possibly infinite supply of randomness. Every 
output of the system is a function of the received messages so far, and 
the internal randomness. The system is efficient if these functions can be 
evaluated efficiently, i.e., using a polynomial time turing machine. The 
whole interaction between systems is asynchronous, i.e., there is no global 
time. 

Two systems F and G can be composed in parallel to a new system, denoted 
by F||G. The two sub-systems F and G do not interact with each other, 
and the resulting system has all the interfaces of the two subsystems. 



G 



We denote the parallel composition of n times the same system F by F"". 

A system G may use another system F as a subsystem, which we denote 
by G(F). G may have some interfaces that are connected to some inter- 
faces of F. We use this notation because G can be viewed as a function 
that transforms a system F into a system G(F). Fj|G is a special case of 
this composition. 



3.2. Distinguishing Systems 
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3.2 Distinguishing Systems 

Definition 12 . 1 1 in Section I2T2I which defines the distinguishing advantage 
for random variables, can be generalized to systems in a straightforward 
way. A distinguisher is now an algorithm D that interacts with a system 
F and outputs or 1. 



D 



be {0,1} 



Definition 3.1. For two systems F and F', the distinguishing advantage of 
a distinguisher D in distinguishing F from F' is 

Adv D (F,F') := | Pr[D(F) = 1] - Pr[D(F') = 1]| . 

The distinguishing advantage of a class T> of distinguishers in distin- 
guishing F from F' is 

Adv p (F,F') := maxAdv I) (F,F') . 



The distinguishing advantage of systems still has the same important 
properties as the distinguishing advantage for random variables. Obvi- 
ously we have Adv p (F, F) = and Adv p (F', F) = Adv p (F, F'), for all 
F and F'. Furthermore, it also satisfies the triangle inequality: 

Adv p (F,F") < Adv p (F,F') + Adv p (F',F") , 

for all V, F, F', and F". 

Except in Chapter [71 V will be the set of all possible (also inefficient) dis- 
tinguishers. In this case, we will omit the T> and only write Adv(F. F'). 
We also write F = e F' for Adv(F. F') < e, and F = F' for Adv(F. F') = 0. 

Similar to Lemma l2~4l we have for all systems G, F, and F' 



Adv(G(F),G(F')) < Adv(F, F') , 
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since any distinguisher D that distinguishes G(F) from G(F') with an 
advantage of e can be used to distinguish F from F', by first applying G. 
If T> is the class of all efficient distinguishers, then 

Adv p (G(F),G(F')) < Adv x '(F,F') , 

if G is efficient. 

Note that for the case where F and F' have no inputs and output random 
variables X and X' , respectively, this definition is equivalent to Defini- 
tion |ZlJ and we have 

Adv(F, F') = A(X,X') . 



3.3 Adversaries and Secure Protocols 

In this section we define protocols and their security In the following, 
we will often use special systems that only have interfaces for one player 
p G {A, B}. We denote such systems by F p . For any systems Fa, Fb, and 
G, we have 

F A (F B (G)) = F B (F A (G)) . 

A system of the form P(F) = (P A ||P B )(F) = P a (Pb(F)) is called a (two- 
party) protocol. 





F 






Pa 






Pb 





Players may be honest, which means that they follow the protocol, or they 
may be corrupted in two different ways. If a player is actively corrupted, 
he may behave in an arbitrary way. If a player is passively corrupted, then 
he follows the protocol, but forwards everything he sends or receives im- 
mediately over an additional interface that we will call auxiliary interface. 
Such players are also called honest, but curious. 

The set of all corrupted players are called the adversary. Let 



A c {A, B, A, §} 
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be the set of corrupted players, where A and B are actively and A and B 
passively corrupted players. We will assume that this set is static, i.e., it 
is already determined before the protocol starts. We will not mix actively 
and passively corrupted players, and consider two different models. In 
the malicious model, the players may be actively corrupted, and in the semi- 
honest model the players may be passively corrupted. Furthermore, we can 
ignore the case where A = {A, B} or A = {A, B}, as we never have any 
requirement for these cases. Therefore, we only have to consider the case 
|.4| < 1. 

Because an adversary may be able to use a system in a different way than 
the honest players, we will use the following generalized notion of a sys- 
tem. A collection of systems 

F = ( F 0> F {A},F {B} ) , F = (F ,F { £ } ,F {g} ) 

(in the malicious or the semi-honest model) defines a different system F.4 
for every possible set of corrupted players A, where the honest players 
always have the same interfaces as in F@. This means that in F{ A } and 
F^j, B must have the same interfaces as in F , and in F{ B } and F^, 
A must have the same interfaces as in F . Furthermore, the system F.4 
should be at least as good for the adversary as the system F , i.e., the ad- 
versary should always be able to behave honestly. F.4 can be interpreted 
as a model of a system where the adversary A can corrupt a part of the 
system F. 

In the following, we will abuse the term "system", and also use it for 
collections of systems. 



3.3.1 The Malicious Model 

In the malicious model, the adversary is allowed to cheat actively, in an 
arbitrary way. Therefore, we do not have any restrictions on how the 
interface to the adversary may look like, as long as it allows him to behave 
honestly, if he wants. 
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We will now define the security of protocols. We say that a protocol P 
having access to the system F securely implements a system G, if, first 
of all, G0 = P(F ), i.e., the protocol implements the system G correctly, 
given that both players are honest. Additionally, for A = {p}, we require 
that the adversary attacking the protocol has no advantage over another 
adversary that attacks G directly. We therefore require that there exists 
a simulator S p that simulates exactly what the adversary would get in 
the execution of the protocol P(F). Since the adversary may not follow 
the protocol, his view of the protocol is in fact the "raw" interface of F, 
without his part of the protocol. 

Definition 3.2. A protocol P(F) = (Pa||Pb)(F) securely implements a sys- 
tem G in the malicious model with an error of at most e, if 

• (Correctness) P(F ) = e G . 

• (Security for A) There exists a system Sb (called the simulator for B), 
such that 

P A (F {B} ) = s S B (G {B} ) . 

• (Security for B) There exists a system Sa (called the simulator for A), 
such that 

Pb(F{A}) =e Sa(G{ A }) • 

Note that the protocol P(F) can also be viewed as a new system E, de- 
fined by E := P(F ), E {B} := P A (F{B}), and E {A} := P B (F {A} ). Defini- 
tion [372] could then be stated by comparing the systems E and G. 

We do generally not require the simulation to be efficient. Therefore, an 
attack that is efficient in P(F) may be mapped to a very inefficient at- 
tack in G. This means that if the system G is replaced by the protocol 
P(F), the adversary may gain extra possibilities because he may be able 
to execute some attacks more efficiently in the new setting. More pre- 
cisely, he gains the extra possibility of executing the simulator for free. 
Depending on the setting, this may be a problem. For example, if the 
simulator allows him to invert a one-way function, a system that relies 
on the assumption that inverting this one-way function is hard may not 
be secure anymore. On the other hand, if P(F) is used in a protocol 
that is information-theoretically secure, the additional, virtual comput- 
ing power of the adversary will be of little use to him. Therefore, an 
efficient simulation is preferable, even in the model where the adversary 
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Figure 3.1: The three conditions for the security in the malicious model of 
a protocol P = (P/n||Ps) that uses F = (F , F{A}, F[ B y) and implements 
G = (G , G{A}, G{s}). 



is (potentially) unbounded, because it allows the protocol to be used also 
in the computational setting. A very important property of this security 
definition is that it allows protocols to be composed. 

Theorem 3.1 (Composition theorem, malicious model). //P(F) securely 
implements G in the malicious model with an error of at most E\, and Q(H) 
securely implements F in the malicious model with an error of at most s 2 , then 
P(Q(H)) securely implements G in the malicious model with an error of at most 

£\ + £ 2 - 

Proof. From Q(H ) = £2 F follows that P(Q(H )) = £2 P(F ). Since 
P(F ) = £l G , it follows from the triangle inequality that 

P(Q(H )) = E1+E2 G . 

There exists a simulator S B , such that Q A (H{ B j) = £2 S B (F{ B }). It follows 
that 

P A (Q A (H {B} )) P A (S B (F {B} )) = S B (P A (F {B} )) . 

Since there exists a simulator T B such that P A (F{ B j) = £l T B (G{ B j.), we 
have 

S B (P A (F {B} )) = ei S B (T B (G {B} )) . 
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It follows from the triangle inequality that 

P A (Q A (H {B} )) ^ £l+e2 S B (T B (G {B} )) , 

and hence the protocol is secure for A, with an error of at most e\ + e 2 - 
The security for B can be shown in the same way. □ 



3.3.2 The Semi-Honest Model 



In the semi-honest model, the adversary is passive. Instead of executing P p/ 
a passively corrupted player p executes P p , which is equal to P p , but for- 
wards everything it sends or receives immediately over an auxiliary in- 
terface. Note that the output of the auxiliary interface contains the entire 
view of the corrupted player, and therefore also the output of the honest 
interface. 




We require that every system in a collection must also have the same in- 
terfaces for the adversary as for the honest player, because the adversary 
executes the protocol honestly and can only connect to these interfaces. 
However, the system has auxiliary output interfaces for the adversary, 
that provide him with some extra information. 
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Let A = {p}. A protocol P(F) securely implements a system G in the 
semi-honest model if there exists a simulator S p that accesses the interac- 
tion of the system G^} with player p and produces the same output as 
P p . Furthermore, the simulator S p is not allowed to modify the inputs 
and outputs on the interfaces of the honest player, because we require 
that the simulated adversary attacking G is also only passively, and not 
actively corrupted. Otherwise, the protocol could not be composed. We 
get the following definition. 
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Figure 3.2: The three conditions for the security in the semi-honest model of a 
two-party protocol P = (P^||Pb) that uses F = (F0,F^,F^) and imple- 
ments G = (G , G { ^ } , G {g} ). 

Definition 3.3. A protocol P(F) = (Pa||Pb)(F) securely implements G in 
the semi-honest model with an error of at most e, if 

• (Correctness) P(F ) = e G@ . 

• (Security for A) There exists a system Sb (called the simulator for B), 
that only modifies the auxiliary interfaces, such that 

(PA||P B )(F {g} ) = £ S B (G {§} ) . 

• (Security for B) There exists a system Sa (called the simulator for A), 
that only modifies the auxiliary interfaces, such that 

(P A ||P B )(F {A} ) ^ e S A (G {A} ) . 

As in the malicious model, we can show that protocols in the semi-honest 
model compose. 

Theorem 3.2 (Composition theorem, semi-honest model). IfP(F) securely 
implements G in the semi-honest model with an error of at most e\, and Q(H) 
securely implements F in the semi-honest model with an error of at most e 2 , then 
P(Q(H)) securely implements G in the semi-honest model with an error of at 
most si + e 2 . 
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Proof sketch. From Q(H ) = £2 F follows that P(Q(H )) = E2 P(F ). 
Since P(F ) = ei G , it follows from the triangle inequality that 

P(Q(H )) ^ El+E2 G . 

There exists a simulator Sb, such that (Q A ||Q B )(H^g-j) = £2 Ss(F,gi)- It 
follows that 

(P A ||P B )((Q A ||Q B )(H {g} )) (P A ||P B )(S B (F {g} )) . 

Note that P B passes all its communication to B, and S B only modifies 
the additional output, but leaves the messages of the honest player un- 
changed. Furthermore, all messages that S B sees will be passed along by 
the protocol P B . Hence, we can move S B to the outside, i.e., 

(P A ||P B )(S B (F {g} )) = S B ((P A ||P B )(F {g} )) . 

Since there exists a simulator T B such that (P A ||P B )(Fjgj) = El T B (G|gj), 
we have 

S b ((Pa||Pb)(F { b } )) = 61 S B (T B (G {g} )) . 
It follows from the triangle inequality that 
(Pa||P b )((Qa||Q b )(H {§} )) = ei+S2 S B (T B (G {g} )) = (S B (T B ))(G {g} ) . 

Since S B (T B ) only modifies the auxiliary output, it is a valid simulator, 
and hence the protocol is secure for A with an error of at most E\ + £2- The 
security for B can be shown in the same way. □ 

From passive to active security. Since security against passively cor- 
rupted players is quite weak in practice, it is preferable to have a pro- 
tocol that is secure against active adversaries. [GMW87J showed that 
it is possible to convert any protocols that is secure in the semi-honest 
model into a protocol that is secure in the malicious model, by forcing 
all players to follow the protocol. To achieve this, every player must 
commit himself to all the values he has, and in every step of the proto- 
cols, he must proof in zero-knowledge that he has executed the computa- 
tion correctly. We will not further comment on this method, and refer to 
IGMW871 ICre90l ICvdGT951 IDKS991 ICLOS021 IDFMS04) for any details. 
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3.3.3 The Weak Semi-Honest Model 

We would expect that every protocol that is secure in the malicious model 
is also secure in the semi-honest model, since the adversary is restricted 
in the latter case. Unfortunately this is not always true. The security con- 
dition in the malicious model only tells us that for any (also semi-honest) 
adversary there exists a malicious adversary for the ideal system. On the 
other hand, the security condition in the semi-honest model requires the 
adversary for the ideal system to be semi-honest. The following example, 
which we call the asymmetric dating problem, illustrates the difference. 

Example 1 (The asymmetric dating problem). Let the system F be de- 
fined as follows. It receives a value x € {0,1} from A, and a value 
y G {0, 1} from B. Then, it outputs z := x ■ y to B. 




Let Comm be a communication channel, and let the protocol P(Comm) 
be defined as follows. Pa receives input x e {0, 1} and sends x over 
Comm to B. Pb receives input y e {0, 1} from B and x over Comm and 
outputs z := x ■ y. Let us look at the security for A. It is easy to see that 
P(Comm) securely implements F in the malicious model, since the simu- 
lator Sb can always input y = 1 to F and obtain the same information as 
in P(F). However, the protocol P(Comm) is not secure in the semi-honest 
model. Since the simulator Sb is not allowed to change the value y, Sb 
cannot simulate x if y = 0. 

We will now present a weaker security definition for the semi-honest 
model that is also strictly weaker than the security definition of the ma- 
licious model. The only difference to Definition [33] is that we allow arbi- 
trary simulators, i.e., the simulator may modify the inputs as it likes. 

Definition 3.4. A protocol P(F) = (Pa||Pb)(F) securely implements G in 
the weak semi-honest model with an error of at most e, if 



(Correctness) P(F$) = E Gg 
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• (Security for A) There exists a system Sb (called the simulator for B), 
such that 

(P A ||P B )(F {g} ) ^ e S B (G {B} ) . 

• (Security for B) There exists a system Sa (called the simulator for A), 
such that 

(P A ||P B )(F { £ } ) ^ e S A (G {A} ) . 

Lemma 3.1. If a protocol P(F) = (P/\||Ps)(F) securely implements G in the 
semi-honest model or in the malicious model with an error of at most e, then it 
also securely implements G in the weak semi-honest model with an error of at 
most e. 

Proof. It is obvious that security in the semi-honest model implies secu- 
rity in the weak semi-honest model. 

Let us assume that P(F) = (P a ||Pb)(F) securely implements G in the 
malicious model. The correctness conditions in the weak semi-honest 
model is the same as in the malicious model. 

From the security for A follows that there exists a simulator Sb, such that 

Pa(F{b}) = e Sb(G{ B }) ■ 

Therefore, we have 
(P A ||P B )(F {B} ) -P b (Pa(F {b} )) = e P b (Sb(G {b} )) = (P B (S B ))(G {B} ) . 

The system Tb := P.b(Sb) is a simulator, which implies security for A in 
the weak semi-honest model. The security for B can be shown in the same 
way. □ 

Unfortunately, Definition 13.41 is too weak to allow for composition, and 
is therefore not a very useful definition for the security of protocols. The 
only composition that is possible is the following, where the outer pro- 
tocol is secure in the weak semi-honest model, and the inner protocol is 
secure in the semi-honest model. 

Theorem 3.3 (Simple composition theorem, weak semi-honest model). If 
P(F) securely implements G in the weak semi-honest model with an error of 
at most ei, and Q(H) securely implements F in the semi-honest model with an 
error of at most e 2 , then P(Q(H)) securely implements G in the weak semi- 
honest model with an error of at most e\ + £2- 



3.4. Discussion 
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Proof sketch. The proof can be done in the same way as the proof of Theo- 
rem !3.2[ The only difference is that now, the simulator Tb is not restricted 
in any way The argument works in the same way except that the result- 
ing simulator Sb(Tb) will not be restricted either. Hence, the protocol is 
secure in the weak semi-honest model. □ 

The weak semi-honest model is useful to prove impossibilities, since it 
is weaker than the definitions in both the malicious and the semi-honest 
models. If we can show that there cannot exist a protocol in the weak 
semi-honest model, then there can neither exist a protocol secure in the 
malicious, nor in the semi-honest model. 



3.4 Discussion 



In this chapter we presented a simplified universally composable frame- 
work for two-party computation. We did not use the frameworks pre- 
sented in [PW01 . BPWQ3) or BCanOll because they are far too complex 
and too general for what we will need them. Our simplified framework 
will make the results in the following chapters easier to state, and hope- 
fully also easier to understand. However, this also means that in order to 
fit our results into more general frameworks such as [PW01 BPW03 1 or 
ICanOll , additional work will be needed. 

If our protocols are to be executed in an environment where more players 
are present, we have to make sure that all the other players do not get 
any information over the inputs or the outputs of A and B. This can be 
achieved by requiring that all our two-party systems are completely in- 
dependent of the other players. This means for example that all channels 
must be secure and authentic. 



Chapter 4 



Oblivious Transfer 



In this chapter we introduce the primitives oblivious transfer (OT) and 
randomized oblivious transfer (ROT), which is a variant of OT where the 
inputs of the honest players are chosen at random. 

We start by showing that OT and ROT are equivalent if noiseless commu- 
nication is available for free. Then, we show that ROT is symmetric by 
presenting a protocol that converts an instance of ROT into an instance of 
ROT in the opposite direction. This implies that also the direction of OT 
can be reversed in a very simple way (Theorem 14. lb . 

In Theorems 14.21 and 14. 31 we give information- theoretic conditions for the 
security of ROT. These conditions are similar to the ones presented in 
[CSSW06[, however we are able to show a stronger result, as our condi- 
tions imply that a protocol which satisfies them is universally composable, 
and not only sequentially. Also, our conditions have explicit error terms, 
which makes them easier to use. 

All the results will be stated in the malicious and the semi-honest model. 



35 



36 



Chapter 4. Oblivious Transfer 



4.1 (Randomized) Oblivious Transfer 

In this section we will introduce oblivious transfer (OT), and a randomized 
version of OT called randomized OT (ROT). 

Definition 4.1 (Oblivious transfer). The system (") -OT (or, if the values 
of n and £ are clear from the context, OT) is defined as follows. First, it 
waits for B to send his input c S {0, . . . , n — 1}, and sends A . After 
having received input x n — (x , . . . ,x n -i) S {0, l} l ' n from A, it sends 
y := x c to B. (Notice that OT = OT = OT {A} = OT {B} .) 



_L 



OT 



(Note that from now on, the drawings will also include timing aspects. 
The time flows from the top to the bottom. The dotted lines indicate wait- 
ing points, where the system waits to receive all messages above the line 
before it continues.) 

We use the same version of OT as [CLOS02|, where the sender is notified 
about the fact that the receiver has made his choice. Notice that in BCanOll 
Fis06], OT has been defined differently. There, the honest sender does not 
get this notification. We do not know how to securely implement OT if 
the malicious sender does not get to know the fact that the receiver has 
made his choice. Therefore, it is preferable to also give this information 
to the honest sender. For example, this allows us to easily implement a 
bit-commitment protocol from the receiver to the sender. Also, only this 
definition allows us to show that OT and ROT are equivalent if noiseless 
communication is available for free. 

Often, it is much easier to implement a randomized version of OT, called 
randomized oblivious transfer (ROT), first. One way of defining ROT would 
be to make it equivalent to OT, but where all the inputs are chosen uni- 
formly at random by the system. This definition would, however, not be 
very useful, because it is too strong: any secure implementation would 

1 This is a message without any content, which notifies A about the fact that B has sent 
his input c. 
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have to make sure that all values are indeed chosen uniformly at random, 
which can be very difficult. Furthermore, it turns out that in most appli- 
cations this is not needed. We will, therefore, define ROT as a collection 
of systems, where the adversary can choose her own output. 

Definition 4.2 (Randomized oblivious transfer, malicious model). The 
system (")-ROT (or, if the values of n and £ are clear from the context, 
ROT) is defined as a collection of systems 

ROT = (ROT ,ROT {A} ,ROT {B} ), 

where 

• ROT©: The system chooses uniformly at random the value x n e 
{0, 1} £ " and c e {0, . . . , n - 1}. It sends x n to A and (c, y) to B 
where y — x c . 

• ROT{a>: The system waits for A to send the value x n e {0, l} 1 '"• 
Then, it chooses the value c e {0, . . . , n — 1} uniformly at random 
and sends (c, y) to B, where y = x c . 

• ROT{ B } : The system waits for B to send the value (c, y) e {0, . . . , n— 
1} x {0, 1}*. Then, it sets x c = y, chooses the values x, t e {0, l} e 
uniformly at random for i ^ c, and sends x" € {0, l} e ' n to A. 







x n - 








x n - 


ROT 


~-c,y 


ROT {A} 


c,y x n -* 


ROT {B} 



We will now show that OT and ROT are equivalent if communication is 
given for free, by presenting two protocols that securely implement one 
system using one instance of the other and a communication channel. 

Protocol ROTfromOT = ROTfromOTA||ROTfromOTB securely implements 
ROT from one instance of OT, and is defined as follows. 

Protocol 1. ROTfromOT A : 

1. Choose x n e {0, l} l " n uniformly at random. 

2. Send x n to OT. 
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3. Receive _L from OT. 

4. Outputs". 

ROTfromOT B : 

1. Choose c e {0, . . . , n — 1} uniformly at random. 

2. SendctoOT. 

3. Receive y e {0, 1} £ from OT. 

4. Output (c,y). 



ROTfromOT A 



_L 






OT 




x n 






y 



ROTfromOT B 



c,y 



Lemma 4.1. ROTfromOT( (™) -OT*) securely implements (") -ROT* m fte ma- 
licious model. 



Proof. Obviously, we have ROT = ROTfromOT(OT). 

ROTfromOT A (OT) waits for input c from B, and then outputs x n to A, 
where all x% are chosen uniformly at random and independently of the 
rest, and y := x c to B. We define Sb as follows. It waits for input c from B. 
Then it chooses y e {0, 1} £ uniformly at random, sends (c, y) to ROT{ B j, 
and outputs y. 



ROTfromOT A 



_L 



OT 



ROT 



{B} 



c,y 



It is easy to verify that ROTfromOTA (OT) = S B (ROT {B} ). 
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ROTfromOTB(OT) outputs _L to A. It waits for input x n from A, chooses a 
value c 6 {0, . . . , n — 1} uniformly at random, and sends c and y := x c to 
B. We define Sa as follows. It outputs _L to A. It waits for input x n from 
A and sends it to ROT{aj . 



_L 



1 







OT 









ROTfromOT B 





x n 


ROT {A} 









c,y 



It is easy to verify that ROTf romOT B (OT) = S A (ROT {A} ). □ 

To implement OT from ROT, A and B need to be able to communicate. 
We will therefore additionally need the system Comm, which implements 
a communication channel from A to B and from B to A. Note that, in 
contrast to OT or ROT, Comm can be used many times. 

Definition 4.3 (Channel). The system Comm is defined as follows. Every 
time it receives a message m e {0, 1}* from p e {A, B}, it sends it to the 
other player in {A, B}. 

We can now state the protocol OTfromROT, which was first proposed in 
IBBCS92J to securely implements OT using ROT and Comm. The protocol 
is defined as follows. 

Protocol 2. OTfromROT A : 

1. Receive d e {0, . ..,n — 1} from Comm and (x') n e {0, l} e ' n from 
ROT. 

2. Output _L to A. 

3. Receive x n e {0, " from A. 

4. Send to" e {0, l} t n to Comm, where m* := x { ® x[ +d (mod n) . 



OTfromROT B : 
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1. Receive ce {0, ... ,n-l} from B and (c',y') e {0, . . . ,n-l}x{0, 1} £ 
from ROT. 

2. Send rf := c' - c (mod n) to Comm. 

3. Receive m" e {0, ™ from Comm. 

4. Output y := m c ® y' to B. 



_L 


OTfromROT A 




ROT 
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OTfromROT B 
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Lemma 4.2. ROTfromOT{(f)-ROf\\Comm) securely implements {fj-Of 
in the malicious model. 



Proof. OTfromROT(ROT0||Comm) waits for input c from B, and sends _L 
to A. After receiving x n from A, it sends 

y = m c © y' — x c ® x' c+d ^ mod n) ®y' = x c ® x' c+c ,_ c ( mod n) y' 
= x c x c y — x c 

to B. (We used the fact that y' = x' c .) Hence, we have 

OT = OTfromROT(ROT ||Comm) . 

OTfromROT A (ROT {B} ||Comm) waits for {c',y') and d from B, and then 
outputs _L to A. It then waits for its input x n from A and outputs m™ to 
B, where m c >-d = x c >- d © y', and all the other values m, are uniformly 
distributed and independent of the rest. We define S B as follows. It waits 
for input (c', y') on the ROT{ B j interface, and d on the Comm interface. 
Then it sends c := c' — d to OT. It receives y = x c >- d from OT, sets 
fn c '-d '■= V © y' and chooses all other rrii uniformly at random. Finally, it 
outputs m™ on the Comm interface. 
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It is easy to verify that OTfromROT A (ROT {B }||Comm) = S B (OT). 

OTfromROT B (ROT {A} ||Comm) waits for (x') n from the ROT interface, and 
the input c from B. It chooses d uniformly at random and sends it to 
A. After receiving also m n from the Comm interface from A, it outputs 
y = m c 8 y' = m c ® x' c+d (mod n) to B. We define S A as follows. It 
waits for x' n on the ROT interface, and _L from OT. Then, it chooses d 
uniformly at random and sends it to A on the Comm interface. After re- 
ceiving m n on the Comm interface, it sends the inputs x t := mi + x' i+d for 
i e {0, . . . , n - 1} to OT. 
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It is easy to verify that OTfromROT B (ROT {A} ||Comm) = S A (OT). □ 



4.2 Oblivious Transfer is Symmetric 

Even though (J) -ROT 1 does not look very symmetric, it is almost sym- 
metric, as we will show in this section. In particular, we will show that 
(^)-ROT 1 can be reversed, using a very simple transformation that we will 
call ROTOR. Let (^)-TOR 1 be (I) -ROT 1 in the opposite direction. 
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The protocol ROTOR implements (J) -TOR 1 using (^)-ROT 1 and is de- 
fined as follows. 

Protocol 3. ROTOR A : 

1. Receive (x' ,x[) from ROT. 

2. Output (c, y) to A, where y = x' and c — Xq © X . 
ROTOR B : 

1. Receive (c', y') from ROT. 

2. Output (#0, £1), where x = y' and iei = c' © y'. 





ROTORa 
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Lemma 4.3. ROTO RlQ -ROT 1 ) securely implements (J)-TOf? in tte maZi- 
cioMS model. 



Proof. From 

a; c = © (a?o © £i) • c = y' © (y' © d © y') • (xq © x[) 
= y c • (xq © x^) = y © x c / © Xq = .Tq = ?/ 

follows that TOR = ROTOR(ROT ). We choose S B := ROTOR B and 
S A := ROTOR A . It is easy to verify that ROTOR A (ROT {B} ) = S A (TOR {B} ) 
and ROTOR B (ROT {A} ) = S B (TOR {A} ). □ 

Let (^)-TO 1 be Q-OT 1 in the opposite direction. Using the protocols 
ROTfromOT, ROTOR and OTfromROT, we can implement (i)-OT 1 using 
one instance of (^)-TO 1 , and get the following theorem. 

Theorem 4.1. (J) -OT 1 can be securely implemented in the malicious model 
using Comm and one instance of (J) -TO 1 . 



4.3. In the Semi-Honest Model 
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Protocols that implement (J)-OT 1 from (J) -TO 1 have previously been 
presented in [CS91[, and independently in [OVY93J. However, Theo- 
rem [4J] leads to a much simpler and more efficient protocol. The proto- 
col of Theorem l4.1l has been proposed in |WW06|, together with an even 
more efficient protocol, that only used one bit of communication. Unfor- 
tunately, that protocol does not work here. The problem is that we are not 
able to send the value _L to A as soon as B has made his choice, if B makes 
his choice before A has given her input. 



4.3 In the Semi-Honest Model 

In Section 13.3.31 we have seen that security in the malicious model does 
not always imply security in the semi-honest model. We will therefore 
show that the protocols ROTfromOT, OTfromROT and ROTOR are also 
secure in the semi-honest model. 

First of all, we have to adjust the definition of ROT. Since a semi-honest 
adversary will always choose its random inputs truly random, we have 
ROT { £ } = ROT {g} = ROT . 

Lemma 4.4. Protocol ROTfromOT^) -Of) securely implements (^)-ROT° 
in the semi-honest model. 

Proof. Obviously, we have ROT = ROTfromOT(OT). 

( ROTfro m OT A 1 1 ROTf ro m OT B ) (OT) outputs x n to A and c (on the auxiliary 
interface) and (c, y) to B. Sb receives (c, y), outputs c on the auxiliary 
interface, and passes (c, y) along to B. We have 

(ROTf romOT A II ROTf romOT R HOT) = S B (ROT {g} ) . 

( ROTfromOT ft ||ROTfromOT R )(OT) outputs x n and _L (on the auxiliary in- 
terface) and x n to A, and (c, y) to B. Sa receives x n , outputs x n and _L on 
the auxiliary interface and then passes x n along to A. We have 

( ROTfromOT. || ROTfromOT R ) (OT) = S A (ROT ^ ) . 



Hence, the protocol is secure in the semi-honest model. 



□ 
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Lemma 4.5. OTfromROT(^l)-RO'f\\Comm) securely implements (™)-07^ 
in the semi-honest model. 

Proof. We have seen in Lemma O that OT = OTfromROT(ROT ||Comm). 

(OTfromROT A ||CmromROT B )(ROT {§} ||Comm) chooses (c',y') uniformly 
at random, outputs it on the auxiliary interface to B, and waits for input c 
from B. Then it outputs d = c! — c on the auxiliary interface to B, and _L to 
A. After receiving x n from A, it outputs m" on the auxiliary interface and 
y = x c on the normal interface to B, where m c = y' © y and all the other 
values m,; are chosen uniformly at random. 

Sb chooses (c',y') uniformly at random and outputs it on the auxiliary 
interface. It waits for input c, passes it along to OT, and outputs d := c' — c 
(mod n) on the auxiliary interface. After receiving y = x c from OT, it 
outputs to™ to B, where m c = y 1 @y and the remaining values are chosen 
uniformly at random. Finally, it outputs y. It is easy to verify that 

(OTfromROTA||OTfromROI B )(ROT { g } ||Comm) = S B (OT) . 

( OTfromROT A ||OTfromROT R )(ROT^ ] ||Comm) chooses (x') n uniformly 
at random and outputs it on the auxiliary interface to A. After receiv- 
ing c from B, it chooses d uniformly at random and outputs d and _L to A 
on the auxiliary interface. After receiving x n from A, it outputs m™ to A, 
where to, := x t © x' i+d (mod n) , and y = x c to B. 

Sa chooses (x') n at random and outputs it on the auxiliary interface to 
A. After receiving _L from OT, it outputs d chosen uniformly at random 
on the auxiliary interface and passes _L along to A. After receiving x n , it 
outputs m" to A, where m, := Xi © x' i+d , d and passes x n along to 
OT. It is easy to verify that 

OTfromROT B (ROT { £ } ||Comm) = S A (OT) . 
Hence, the protocol is secure. □ 

Protocol ROTOR applies a bijective function on the output of ROT. Hence, 
all the auxiliary output can be simulated from the output of (^)-TOR 1 , 
and we get the following lemma. 



4.4. Information-Theoretic Security Conditions 
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Lemma 4.6. ROTO 'R{(T) -ROT 1 ) securely implements (T\-TOR in the semi- 
honest model. 



4.4 Information-Theoretic Security Conditions 

We will now present information-theoretic conditions, which imply that 
a protocol securely implements ROT either in the malicious or the semi- 
honest models. 



4.4.1 In the Malicious Model 

The following information-theoretic conditions are similar to the condi- 
tions presented in [CSSW06[, and to the definitions of randomized obliv- 
ious transfer used in [DFSS06[ and [Wul07[. However, our correctness 
condition is stronger, because we require the outputs to be random, if the 
players are honest. 

Theorem 4.2. A protocol P(F) = (P A \\P B )(F) securely implements (")-flO/ 
with an error of at most e in the malicious model, if 

• (Correctness) P(F ) = E ROT®. 

• (Security for A) P^(F{ S j) interacts over the interfaces belonging to B 
(which produces a transcript V), and after the last input is received, it 
outputs X n e {0, l} e ' n to A. There exists a conditional probability distri- 
bution Pc\x n v that produces a random variable C e {0, . . . , n — 1} such 
that (Xq, . . . , Xc-i, Xc+i, ■ ■ ■ , X n -i) is e-close to uniform with respect 
to{C,X c ,V). 

• (Security for B) Pg(F{-^j) interacts over the interfaces belonging to A 
(which produces a transcript U), and after the last input is received, it 
outputs [C, Y) £ {0, . . . , n — 1} x {0, l} e to B where C is e-close to 
uniform with respect to U. 

Proof. Let P(F) satisfy these conditions. The correctness condition is the 
same as in Definition 13 .21 
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Let Sb first simulate Pa(F{ B t.) which interacts with B and outputs (X') n 
and the transcript V of the interaction with B. Then, it samples C ac- 
cording to Pc\x^=(x')",v=v an d sends (C, Y) to ROT{ B }/ where Y := X' c . 
ROT {B} will output X n to A, where X c = X' c and 

(Xq, . . . , Xc-i, Xc+i, ■ ■ • , X n -i) 

is chosen uniformly at random and independent from the rest. Since 

(Xq, . . . , x' c _ 1 , x c+1 , . . . , X n _i) 
is e-close to uniform with respect to (C, Xc, V), we have 

(X n ,C,V) ^ e ((X') n ,C,V), 
from which follows that 

S B (ROT {B} )= £ Pa(F {b} ) . 

Sa is defined as follows. First, it simulates P b (F{a})/ which interacts 
with A and outputs (C, Y') and the transcript U of the interaction with 
A. Since C is e-close to uniform with respect to U , we have 

Pcy'u — PcuPy'\uc =s PcPuPy'\uc > 

where is the uniform distribution over {0, 1}. Sa now calculates X' n , 
where X[ is sampled according to the probability distributions Py> | u,C'=u 
and sends them to ROT^a} • Note that the behavior of the system P B (F{A} ) 
is known, and therefore also the probability distribution Pyi\u,c=i- B 
receives a value C chosen uniformly at random, and Y = X' c distributed 
according to Py>\u,c=c- We have 

Pcyu = PuPc\uPy'\uc — PuPc~Py'\uc =e Pcy'u , 
and, therefore, 

S A (ROT {A} ) = £ P B (F {A} ) • 

□ 



Note that the simulation given in Theorem l4.2l is not necessarily efficient. 
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4.4.2 In the Semi-Honest Model 

Theorem 4.3. Let e > 0. Let P(F) = (P„||P B )(F) be a protocol that outputs 
X n to A and (C, Y) to B, and let U be the auxiliary output to A given by V_ A , 
and V be the auxiliary output to B given by P s . P(F) securely implements 
(™) -ROT 1 with an error of at most 3e in the semi-honest model, if 

• (Correctness) P(F@) = e ROTq,. 

• (Security for A) (X , . . . , X C -i, X c +i, • • • , X n _\) is e-close to uniform 
with respect to (C, Y, V). 

• (Security for B) C is e-close to uniform with respect to (X n , U). 

Proof. Let P(F) satisfy these conditions and let Px n cY ^ e tne output dis- 
tribution of (")-ROT £ . We have P x ™cy = s Px^cy- Obviously, the cor- 
rectness condition is satisfied with an error of at most e. 

We define Sb as follows. After receiving (C, Y), it samples a value V 
distributed according to Pv\cy an d outputs (C, Y, V). We get 

Px X 1 CYV = Px a ...Xc-iXc+i...X n - 1 CYvPxc\Xa...Xc-iXc+i...X n - 1 CYV 
=e Px„...Xc-iXc+i...X n ^ 1 CYVpx-\CY 
=e PcYvPx Q ..J( c _{x c + 1 ..J( n _ 1 Px-^\CY 
= PcYPv\CYPx ...X c _ 1 X c+1 ...X n _ 1 P Xc\CY 
=e P CY P V | CY P~x . . . j ~X- + 1 . . . ~X n _ i P ~X- U \~CY 
= Px n CY P V\CY = Px n CY P V'\CY 

and, therefore, 

(P A ||P B )(F {g} )^ 3£ S B (ROT {g} ). 

We define S A as follows. After receiving X n , it samples a value U' dis- 
tributed according to P\j\x™ and outputs (X n , U'). We get 

Px^CYU = Px^CuPY\X n CU =e Px"CuPy\X"C 

=e Px^uPcPY\X n C = Px"Pu\X"Pc P Y\X"C 
=e Px n Pc P Y\X' l C P U\X" = Px"CY P U'\X™ 
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and, therefore, 

(PaI|Pb)(F { £ } )^ 3£ Sa(ROT { £ } ). 

□ 



One way to sample V according to Pv\c,y is to simulate the protocol 
(P A ||P B )(F) until (V',C',Y') is received where C = C and Y' = Y. 
This simulation needs exponential time in the parameter £ and n, but is 
efficient if £ and n are small and (P A ||P B )(F) is efficient. Similarly, we 
can sample U' by simulating the protocol (P A ||P B )(F) until ([/', {X') n ) is 
received where (X') n = X n . 



Chapter 5 

Universal Oblivious 
Transfer 



Universal oblivious transfer (UOT) is a variant of ROT where the security 
of the sender is weakened. A malicious receiver is allowed to receive any 
information he wants about the sender 's input, as long as he does not re- 
ceive too much information. A parameter a specifies a lower bound on 
the amount of uncertainty the receiver must have over the sender's in- 
put, measured in terms of min-entropy. UOT was introduced in [Cac98|, 
together with a protocol that implements ROT from UOT. However, the 
security proof contained an error which was discovered in [DFSS06). It 
was showed that ROT with a string length of £ can be implemented from 
one instance of UOT with an error of at most e if £ < a/4 — | log( 1 je) — 1, 
which is only about half as much as originally claimed in ICac98l. 

In Theorem 15. II we give a new proof for the same protocol that was also 
used in [Cac98 . DFSS06J, and show that the protocol is also secure for 

I < a/2-31og(l/e) 

with an error of at most 2e. This improves the bound of [DFSS06J by a 
factor of 2 (at the cost of a larger error term) and achieves the bound that 
has been originally claimed in ICac98l , which is asymptotically optimal 
for this protocol. 

Our proof makes use of a new distributed leftover hash lemma (Lemma |5. 3b 
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which is of independent interest. 



5.1 Min-Entropy and Randomness Extraction 

In this section we show how almost uniform randomness can be extracted 
out of non-uniform randomness. We use the min-entropy to measure the 
amount of randomness a random variable has. 

Definition 5.1 (Conditional Min-entropy). Let X and Y be random vari- 
ables. The min-entropy of X given Y is defined as 

H min (X | Y) := min log— . 

xy.P XY (x,y)>0 Px\Y\X \ U) 

We will need the following lemma. 

Lemma 5.1. For all X, Y, and Z, we have R min (X | Z) > H min (X | YZ). 

Proof. This inequality follows from 

maxP x \ Z (x | z) =max.2_\ p Y{y)Px\Yz{x I V,z) 

x.z x.z * — ' 

V 

<maxVP y (|/)maxF X |y Z (i | y,z) 

x.z * — » x,y,z 

y 

= maxP x \Yz(x \y,z) . 

x,y,z 

□ 

We will use 2-universal hash functions to extract randomness. 

Definition 5.2 ( IICW79II ). A function h : X x S -> J- 7 is called a 2-universal 
hash function, if for all i ^ ^i £ we have 

Pr[h(x ,S) = h(x 1 ,S)} < i- , 

if 5 is uniform over 5. 



5.1. Min-Entropy and Randomness Extraction 
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The leftover hash lemma IILL89I shows that a 2-universal hash function is 
able to extract almost all randomness, if some additional uniform ran- 
domness S is provided as a catalyst. Notice that the extracted random- 
ness is independent from S. A slightly less general form of this lemma has 
been proved before in [BBR88J, where it was called privacy amplification. 
[ BBCM95J generalized the notion of privacy amplification to basically the 
same statement as |ILL89 J, in a slightly different notion. 

Lemma 5.2 (Leftover hash lemma [BBR88. ILL89J). Let Xbea random vari- 
able over X and let m > 0. Let h : S x X — ► {0, l} m be a 2-universal hash 
function. If 

m<H min (X)-21og(l/V) , 
then for S uniform over S, h(S, X) is e-close to uniform with respect to S. 

We will now give a distributed version of the leftover hash lemma, where 
two players independently extract randomness from two dependent ran- 
dom variables X and Y. The (normal) leftover hash lemma tells us that 
if the extracted randomness of X and Y, respectively, is smaller than the 
min-entropy of X and Y, respectively, then the extracted strings are close 
to uniform. However, the two extracted strings might depend on each 
other. Lemma [5.31 now states that if the total length of the extracted ran- 
domness is smaller than the min-entropy of (X, Y), then the two strings 
are also almost independent. Clearly, this bound is optimal. 

Lemma 5.3 (Distributed leftover hash lemma). Let X and Y be random 
variables over X and y, and let m,n > 0. Let g : S x X — > {0, 1}™ and 
h : 1Z x y — > {0, 1}™ be 2-universal hash functions. If 

m<H min (X)-21og(l/ £ ) , 
u<H min (F)-21og(l/e) , and 
m + n<H min (XY)-21og(l/ £ ) , 

then, for (S, R) uniform over 5x7?., (g(S, X),h(R, Y)) is e-close to uniform 
with respect to (S, R). 



Proof. For any W having distribution Pw over W, and W uniformly dis- 
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tributed over W, we have 



A{W,W')=W 



P w (w) 



\W\ 



\ 



E 



P w {w) 



|W| 



\ 



EKh-^)' 



Here we used Lemma [A. 3 1 

Let V = X), V = h(R, Y) and U, U' be two uniform random vari- 
ables over {0, l} m and {0, 1}™. Choosing W := {V, V, S, R) and W := 
(U, U' , S, R) in the above inequality, we get 

A((V,V',S,R),(U,U',S,R)) 



1 



\S\\K\2 m + n 



Since J2 X p x( x ) * s the collision probability of a random variable X, we 
have for (Xq,Yq) and (Xi,ii) independently distributed according to 
Pxy and for uniformly random So, Si, Rq, and R\ that 

E P ^'Si?>, «. r) = Pr[S = S\ A Rq = R,] 

vv' sr 

■ Pr[g(X , S ) = g(X u S ) A /i(F , i? ) - fc^i, Rq)] ■ 



Because g and h are 2-universal hash functions, we have 

Pv[g(X , So) = g(X u So) A h(Y , R ) = fc(Yi, i? )] 

< Pr[X = X x A Yo = ii] + 2- m Pr[X ^ X x A Y = Ki] 

+ 2-" Pr[X = IiAF ^ H] + 2- m ~" 
^ 2—771— n g.2 _|_ 2 _ rn 2~ n • £^ -f- 2 — n 2 — m £^ ~h 2 — m— n 

= (1 + 3£ 2 )2~" 1 -™ , 



1 Let Xo and X\ be distributed according to Px- The collision probability is Pr[Xo 

*i] = E^(*0 2 - 
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which implies that 

A((V,V',S,R),(U,U',S,R)) 



<2Vl II I m "y \s\\TZ\ 2 m + n ~ |S||ft|2 m +" - ~T £ ■ 

□ 

Notice that Lemma [531 implies Lemma [5721 



5.2 Definition of Universal Oblivious Transfer 



We now define universal oblivious transfer, or (aWJ-UOT", which is a 
variant of (J) -ROT™ that provides weaker security for A. For A = or 
.4 = {A}, UOT is equal to ROT. But for A = {B}, instead of requiring that 
B does not know anything about one of the two strings, we only require 
that he does not entirely know both of them, i.e., the a min-entropy of 
sender's input is at least a. Note that from Lemma 2 in |RW05], it follows 
that there is no need to use different kinds of Renyi-entropies IRenoTl as 
done in |Cac98] or [DFSS06J, as they are basically all equivalent to the 
min-entropy. 

Definition 5.3 (Universal oblivious transfer). The system (a)- (J) -UOT" 
(or, if a and n are clear from the context, UOT) is defined as a collection 
of systems 

UOT=(UOT ,UOT {A}I UOT {B} ), 

where UOT = ®-ROTg and UOT {A} = (2)-ROT^ A} . UOT {B} is defined 
as follows. The system waits for B to input a distribution 

P 6 {Px x 1 | H roin (X , X t ) > a} , 

where (X , X ± ) e {0, 1}™ x {0, 1}". After receiving p, it chooses (xo, xi) 
according to p and outputs (xq, Xi) to A. 



Notice that our definition UOT is slightly weaker than the definitions 
used in [Cac98, DFSS06]. Because our UOT is a weak version of ROT, 
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we do not only allow the malicious receiver to receive arbitrary informa- 
tion about his input, but we also allow him to freely choose his output. 
For example, we allow him to select 2n — a bit and freely fix their values. 
UOT will then choose the remaining a bit randomly. 



5.3 Universal Oblivious Transfer Amplification 

Our protocol ROTfromUOT is basically the same as the protocols used in 
1BC971 ICac98l IBCW03I IDFSS061 . It securely implements Q-ROT* using 
one instance of (a)-(^)-UOT n and Comm in the malicious model. Let 
h : {0, 1}" x 1Z — ► {0, l} e be a 2-universal hash function. The protocol is 
defined as follows. 

Protocol 4. ROTfromUOT A : 

1. Receive (x ,xi) G {0, 1}" x {0, 1}" from UOT. 

2. Choose (ro, r±) € 1Z 2 uniformly at random. 

3. Send (r ,ri) to Comm. 

4. Output (uo, u\) S {0, l} e x {0, l} e to A, where u := h(xo,r ) and 
ui := h(xi,n). 

ROTfromUOT B : 

1. Receive (c, w) € {0, 1} x {0, 1}" from UOT and (r , n) G K 2 from 
Comm. 

2. Output (c, y) £ {0, 1} x {0, l} e to B, where y := h{r Cl w). 



Uq,U\ 


ROTfromUOT A 


Xq,Xi 

M 


UOT 


c, w 




ROTfromUOTs 


c,y 






Comm 
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We will now show that this protocol indeed achieves the optimal bound 
of i ps a/2. The proof works roughly as follows. We define an additional 
random variable A £ {0,1,2} that distinguishes between three different 
cases, and show that in each case there exists a random variable C such 
that Ui-c is almost uniform and independent of the rest. If A E {0, 1}, 
we can lower-bound the min-entropy of X\-a conditioned on Xa, and 
are therefore able to apply Lemma [5.2l for C = A. If A = 2 we have lower 
bounds for the min-entropy of Xq, X\, and (Xq, X±), which allow us to 
apply Lemma IB~3l We need that Pr[A = 2] > e. If this is not the case, we 
ignore the events A = 2 at the cost of an additional error of at most e. 

Theorem 5.1. Let a,n,£,e > 0. Protocol ROTfromUOT({a)-($)-UOT) se- 
curely implements (J) -ROT in the malicious model with an error of at most 2e, 
if I < a/2-3 log(l/e). 

Proof. Obviously, for A = 0, we have ROTfromUOT(UOT {0} ) = ROT {0} . 

Let A = {A}. ROTfromUOT B (UOT{ A }) waits for receiving (x ,Xi) and 
(r , r\) from A and then outputs (c, y) to B, where c is chosen uniformly at 
random and y = h(x c , r c ). We define Sa as follows. It waits for receiving 
(xo, x\) and (r , r\) from A and sends {h{x$, r ), h{x\, n)) to ROT. It is 
easy to see that ROTfromUOT B (UOT {A} ) = S A (ROT). 

Let A = {B}. The system ROTfromUOT A (UOT {B }) receives the value p 
from B, and then outputs (Uq, U\) to A and (Rq, Ri) to B. In the following, 
we will implicitly condition on the values P = p. Let 



and A := g(Xo, X\), for u chosen uniformly at random from {0,1}. If 
Pr[A = 2] < e, let £ be the event that A < 2, and let £ be the event with 
probability 1 otherwise. We have Pr[£] >l—e, and the event (A = 2) fl £ 
either has probability or at least e. Let C = min(A, 1). 




for i e {0, 1}. Let 




(5.1) 
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• For 4 = a£ {0, 1} and Pr[yl = a A £ } > 0, we have C = a. All 
x a e S a have Pr[Jf a = x a \ A = a A £ ] = 0. For all x a S a we have 

Pr[X a = x a A A = a A £} 

Pr[X a — x a A X^ a # Sx-a] 



= Pr[X a = x a A X^ a e Si_ a ] + 

Pr[X a = Xp] 9 - a /2-l 

^ 2 ^ 

It follows that 

Pr[Zi_ = xi_ a | A" a = .T a A A = a A 5] 

_ Pr[AV a = xx-g A X a = x a A A = a A £] 
Pr[X a — x a A A — a A £] 

< 2~ a j^ — a/l—l 2~ ct/2+1 

and hence, H min (Xi_ c | I C;J 4 = a,£) > a/2 — 1. Since R and 
i?i are uniformly distributed and independent of the rest, it follows 
from Lemma [5]2] that, conditioned on (A = a) PI 5, £7i_c is e-close to 
uniform with respect to (Ro,R%, Uc)- 

• If A = 2 and Pr[A = 2 A £] > 0, then C = 1, Pr[A = 2 A £] > e, 
Pr[X = x A X 1 = x x | A = 2 A £] < 2~ a /e, and Pr[X 4 = x s | A = 
2 A £} < 2- a / 2 /e, for i e {0, 1}. It follows that 

E min (X | A = 2 A £) > a/2 - log(l/e) 
H min (X! | A - 2 A £)> a/2 - log(l/e) 
B. min {X Xx \ A = 2A£)>a- log(l/e) . 

Since i?o and i?i are uniformly distributed and independent of the 
rest, it follows from Lemma 15.31 that conditioned on {A = 2) PI £, 
(ZJo, Ui) is e-close to uniform with respect to (i?o, -Ri), from which 
follows that t/i_c is e-close to uniform with respect to (Rq, R\,Uc)- 



Therefore, for all a 6 {0, 1, 2}, conditioned on (A = a) PI £, the distribu- 
tion of U\—c is e-close to uniform with respect to (Rq, R\,C,Uc)- Since 
Pr[£] > 1 — e, it follows from Lemma [2 . 5 1 that U\—c is 2e-close to uniform 
with respect to (Rq, Ri,C,Uc)- Because this holds for every P = p, it fol- 
lows that U\—c is 2e-close to uniform with respect to (C,Uc, P, Ro, Ri)- 

We define Sb as follows. After receiving p : Xq x X% — ► [0, 1] from B, it 
simulates UOT^b} on input p, from which it gets the values Xq and X{, 
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distributed according top. It calculates C = min(g(XQ, X[), 1) according 
to i5.1) . Then it choses R' and R[ uniformly at random from 1Z, sends 
(C, h(X' c ,,R' c ,)) to ROT {B} and outputs (R' , R[) on the Comm interface. 
ROT {B} will output {U' Q , U[) to A, where U' c = h{X' c ,,Rc>) and U[_ c is 
chosen uniformly at random and independent from the rest. Since U\-c 
is 2e-close to uniform with respect to (C, P,Uc, Ro, R\), it is easy to see 
that 

{Uq, U[,C, P, R' , R[) =2s (Uo, U%, C, P, Ro,R%) , 
from which follows that 

ROTfromUOT A (UOT {B} ) = 2e S B (ROT {B} ) . 

□ 



5.4 Applications 

The definition of UOT emerged as a generalization of the protocol pre- 
sented in IBC97IIBCW031 to implement string OT out of bit OT. Therefore 
it is not surprising that the reduction we presented in this chapter can 
be used to implement string OT from bit OT. Asymptotically, our proto- 
col also achieves the same bound as the protocol of [BC97, BCW03) for 
this task. Our protocol can also be used to implement OT from GOT, 
which leads to better bounds than the ones presented in IBC971 IBCW03I 
or IDFSS06I . 

Recently, another very interesting application of UOT has been presented: 
in |DFR + Q6l , it was shown that in the bounded quantum-storage model, it is 
possible to implement a simple protocol that achieves a quantum version 
of UOT. Whereas it is not clear how the results of [DFSS06J can be used 
in that setting to implement OT, they showed that a simplified version of 
our proof (only requiring the normal leftover hash lemma) can directly 
be applied, using a quantum version of the leftover hash lemma, called 
privacy amplification against quantum adversaries [RK05, Ren05|. It is also 
possible to generalize our distributed leftover hash lemma to the quan- 
tum setting, and therefore the proof we present in this chapter can also be 
used in the setting of [DFR+06] to improve the efficiency of their reduc- 
tion. 



Chapter 6 



Weak Oblivious Transfer 



Weak oblivious transfer (WOT), introduced in [DKS99J, is a weak variant 
of ROT where both players may obtain additional information about the 
other player's input, and where the output may have some errors. In 
[DKS99) it was used as a tool to construct OT from unfair primitives, i.e., 
primitives where the adversary is more powerful than the honest partic- 
ipants, such as the unfair noisy channel. WOT is parameterized by three 
parameters, p, q, and e, where p measures the amount of side information 
that the sender gets about the receiver's choice bit, q the amount of side 
information the receiver gets about the sender's second input bit, and e is 
the maximal probability that an error occurs. 

While the definition of WOT is very informal in [DKS99J, the definition 
used in [DFMS04 J (which gives an ideal functionality of WOT) made im- 
plicitly a quite strong assumption, namely that the event that an adver- 
sary gains information is independent of the error. Unfortunately, the 
protocol used in [DKS99 . DFMS04J based on unfair noisy channels does 
not achieve these strong requirements. We propose two new, weaker def- 
initions of WOT, one for the semi-honest (Definition 16.1b and one for the 
malicious model (Definition 16.2b , that do not have these assumptions. 
Also, our definitions make the use of generalized weak oblivious transfer 
[DFMS04|, at least for the protocols we have at the moment, unnecessary 

In Theorem l6.1l we restate the impossibility result from [DKS99J that there 
does not exist a protocol which implements OT from WOT if p+q+2e > 1. 



59 



60 



Chapter 6. Weak Oblivious Transfer 




Figure 6.1: The bounds on the parameters p, q, and e for WOT. (0): Impossi- 
bility, Theorem 16.11 (1 ): Special case where e — or e is small, Theorem \6.2\ 
and Corollary \6.2\ (2-3): Special cases where p = or q = 0, Theorem \63\ and 
Corollary \6.1\ (4-7): General case where p, q,e > 0, Theorem WM 



6.1. Definition of WOT 
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Then, we give several protocols that implement ROT from WOT. In The- 
orem 16.21 we show that the bound of p + q < 1 and e = presented 
in [DKS99J can also be achieved using our definition, both in the semi- 
honest and the malicious model. Furthermore, we give a more detailed 
analysis of the protocols's efficiency. For the case where e > 0, our new 
definition makes it necessary to use a different protocol to reduce the er- 
ror e, which implies that we are not able to achieve the same bound as 
[DKS99]. In Theorems [63] and Corollary 16. 11 we show that for the special 
case where either p = or q = holds, ROT can securely be implemented 
from WOT in the semi-honest model if 

(p = A ^fq + 2e < 1 ) V (q = A ^/p + 2e < 1) . 

We achieve these bounds very easily by using an interesting connection 
to key agreement protocols [HR05 . Hol06 1 and the statistical distance po- 
larization problem [SV99 Vad99[. For the general case where p, q, and e 
may be larger than 0, we show in Theorem 16.41 that if 

p + q + 2e< 0.24 

or 

(p + 22q + 44e < 1) V (22p + q + 44e < 1) V (7y/pTq + 2e < 1) , 

ROT can efficiently be implemented from WOT secure in the semi-honest 
model. These bounds do not achieve the bound of p + q + 2e < 0.45 
from I DKS99 ] for all values p, q, and e, but they are better for the cases 
where two parameters are small and one is large. Finally, we show in 
Corollary 16.21 that we can also implement ROT from WOT in the semi- 
honest model if 

(l-p-g) 4 <-178-log(l-2e) ! 

which means that if e is small enough, then we can achieve OT for all 
values p + q < 1. 

6.1 Definition of WOT 

In this section we give formal definitions of WOT. Because our protocols 
will reduce the information of the adversary by using the XOR of several 
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values, the maximum bit-prediction advantage (PredAdv) turns out to 
be a good measure for the adversary's side information. Furthermore, it 
has the advantage that we can easily find a computational version of this 
measure, which will be very useful in Chapter [7] Our definition of WOT 
is inspired by the definition of weak bit agreement in [Hol05. H0IO6J. 



6.1.1 In the Semi-Honest Model 

We start with the definition of WOT in the semi-honest model. Since the 
adversary is not able to choose which information he would like to ob- 
tain in the semi-honest model, he may only obtain whatever information 
the functionality provides him with. But we do not want to fix this in- 
formation, as we want to cover a wide range of possibilities — we might 
not even know what information the functionality will provide to the ad- 
versary. Therefore, we cannot define an ideal functionality. Instead, we 
will define a set of ideal functionalities, and assume that one instance of 
this set is provided to us, but we may not know which instance. We will 
define this set of ideal functionalities by a list of properties that the ideal 
functionality must satisfy. 

Definition 6.1 (Weak oblivious transfer, semi-honest model). Let 

F = ( F 0> F {A}> F {§}) 

be a collection of systems in the semi-honest model. Let F output (X n , Xi) 
to A and (C, Y) to B. Let U be the auxiliary output to A by F{ A } and V 
be the auxiliary output to B by F{b}- Let E := Xc Y. F implements 
(p, q, e)-WOT in the semi-honest model, if 

• (Correctness) Pr[E = 1] < e. 

• (Security for A) PredAdv(Xi_ c \V,E)< q. 

• (Security for B) PredAdv(C | U, E) < p. 

We also use (p, g)-WOT for (p, q, 0)-WOT. 

It is not immediately clear why we require that X\-c an d C are diffi- 
cult to guess even when additionally the value E is given. We do this 
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for allowing the adversary to learn the error during the protocol with- 
out getting additional information about X\_c or C. For example, in the 
protocol E-Reduce, B may get to know Xc during the protocol, which 
means that he gets to know E = Y © Xc- Therefore, we must make sure 
that his side information about X\-c is not increased if he gets to know 
E. Note, however, that for the protocols we present here, it would be 
sufficient to only require PredAdv(C | U) < p for the security for B, be- 
cause E is never leaked to A. We do not use this definition in order to 
keep WOT symmetric, and to get a stronger Theorem 17.21 that is simpler 
to proof. (Otherwise, Theorem 17.21 would not work for all protocols, but 
just for the protocols we present here.) 

We will now show that the conditions of WOT suffice to implement ROT 
in the semi-honest model. We need the following lemma. 

Lemma 6.1. Let Pjj be the uniform distribution over {0, 1} and let Pcx a x t be 
a distribution over {0, l} 3 for which Pcx 1 x = e PuPx ± Xo and P Xl - C x c c =e 
PuPxcC holds. Then A(P CXoXl , PuPuPu) < 4e. 

Proof. Let a := P CXl x (0, 0, 0), b := Pcx lXo (0, 0, 1), c := P CXl x (0, 1, 0), 
d := J Pcx 1 x o (0, 1, 1), ■ a nd let h := Pcx^A 1 , h !)• From PcXiXo =e 
PijPxiXa and Lemma |A, 61 we get 

|a-e| + |6-/| + |c-5| + |d-ft|<2e, 
and from Pxi^ c x G C =e PuPx c c and Lemma lA~6l 

\a - c\ + \b - d\ + \e - f\ + \g - h\ < 2e . 

Adding up the two inequalities, we get 

|e — a\ + \a — c\ + \c — g\ + \g — h\ 

+ \h-d\ + \d-b\ + \b- f\ + |/ - e| < 4e . (6.1) 

It is easy to see that the difference between the minimal and the maximal 
values in the set {a, . . . , h} is at most 2e, and that the statistical distance 
is maximized for i6.1i by distributions where n 6 { 1 , . . . , 7} values have 
equal probability 1/8 + 2e — en/ 4, and 8 — n values have equal probability 
1/8 — en/4. The statistical distance is en(2 — n/4), which is maximized for 
n = 41 where it is 4e. □ 

1 Note that such a distribution does not satisfy our original, stricter requirements. Values 
that do satisfy them are a = e = / = 1/2 + 5/4 • s and b = d = h = g = c = 1/2 — 3/4 ■ e, 
which gives a statistical distance of 3.75. 
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Lemma 6.2. If a protocol F implements (e,s,e)-WOT, then it implements 
(,) -ROT secure in the semi-honest model, with an error of at most 9s. 

Proof. Let (X , Xi, C, F) be the output of Fg, let [/ be the auxiliary output 
of F{a} to A and V the auxiliary output of F{b} to B. From Lemma lZ6l fol- 
lows that C is e/2-close to uniform with respect to (E, Xo, Xi, U), and that 
X\-c is e/2-close to uniform with respect to (E, C, Y, V). Let P Xq x^cy 
the output distribution of ROTg. 

Lemma I6T1 implies that Px x x c =2e P x Xl c - Since Pr[Y ^ X c ] < e, we 
have 

PxoX^CY =e Px X 1 cPy\X„X 1 C =2 £ P Xo X 1 CY ' 

We can now apply Theorem l4.3l □ 



6.1.2 In the Malicious Model 

We will now also give a formal definition of WOT in the malicious model. 
The definition differs from the semi-honest case in two important points. 
Firstly since we do not have any protocol that can do error reduction in 
the malicious model, we will only define the case without any error, i.e., 
e = 0. Secondly, for the security of A, we require that the XOR of the two 
input bits is difficult to guess, because this is a much easier requirement 
than the standard approach used in Theorem 14.21 Lemma [6.3l shows that 
the two conditions are equivalent. Notice that the security of the XOR 
does not suffice in the semi-honest model, and, therefore, this trick can- 
not be applied there. On the other hand, since in the malicious model a 
corrupted B may choose C freely, we cannot use Lemma 16.11 and, there- 
fore, the condition Pr[Y ^ Xc] = would not suffice in the malicious 
model. 

Definition 6.2 (Weak oblivious transfer, malicious model). Let 

F = (F ,F {A} ,F {B} ) 

be a collection of systems in the malicious model. The system F imple- 
ments (p, g)-WOT (or, if p and q are clear from the context, WOT) in the 
malicious model, if 



(Correctness): F© = ROT. 
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• (Security for A): The system F{b} interacts over the interfaces be- 
longing to B (which produces a transcript V), and after the last in- 
put is received over these interfaces, it outputs (X , X{) € {0, l} 2 to 
A where PredAdv(A ®X 1 \V)<q. 

• (Security for B) The system F{ A } interacts over the interfaces be- 
longing to A (which produces a transcript U), and after the last in- 
put is received over these interfaces, it outputs (C, Y) € {0, l} 2 to B 
where PredAdv(C | U) < p. 



Notice that since we are now in the malicious model, the adversary is able 
to choose what information he would like to receive, and we could define 
an ideal functionality in a similar way as we did in Definition l5.3l for UOT 
We did not do this in order to be closer to Definition 1 6 . II and Theorem l4.2l 

Again, we will first show that WOT suffices to implement ROT in the 
malicious model. We will need the following lemma, which has already 
been proved in IDFSS061. 

Lemma 6.3. Let Px a x 1 be given. There exists a random variable C distributed 
according to a conditional distribution Pcix ,Xi sucn that -Xi-c * s uniform 
with respect to (C, Xc), if and only ifX © X\ is uniformly distributed. 



Proof. Let Px XiC be a distribution such that X\-c is uniform with re- 
spect to (C, X c ). We have 

Pr[X ©X! = Q] =Pjc o jf 1 c(0,0 > 0)+Pjc o Jfic(l,l ) 0) 

+ PxoX lC (0, M) + Px x lC (h 1,1) 
= Px o x lC (0, 1,0) +Px x lC (1,0,0) 

+ Px o x 1 c(l,0,l) + Px o x 1 c(0,l,l) 
= Pr[X 8 X x = 1] . 

Hence, X © X\ is uniformly distributed. 

The other direction is slightly more complicated. Let X$ © X\ be uni- 
formly distributed. We choose 

p fn | \ min(Px x 1 (x o ,0),P Xo x 1 (go, 1)) 

Pc|X o ,Xi(0 X ,Xi) .= r . 
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For C = and x € {0, 1}, we have 

Px o x 1 c(xq,0,0) = P XoXl (xo,0) ■ Pc\x o xA I ^0,0) 
= mm(P XnXl (x o ,0), P XaXl (x , 1)) 

= f-XoXiCOEO, 1,0) • 

Since Xq © Xi is uniformly distributed, we have 

Px oXl (0, 0) - P XoXl (0, 1) = P XoXl (1,0)- Px x a (1, 1) , 
which implies that for C = 1 and in S {0,1}, 

P M c(0,xi,l) = P Xo x 1 (0 1 x 1 ) ■ (1 - P c \x oXl (° I 0,xi)) 

= Px oXl (0, si) - min(P M (0, 0), P XoXl (0, 1)) 
= max.(0,P Xo Xi(0,xi) - P XqXi (0, 1 - x x ) 
= max(0, PxoXx (1, £i) - Px Xi (1, 1 - ari) 
= fx x 1 c(l ! a;i, 1) ■ 

Hence, for c e {0, 1} and x c S {0, 1}, 

Pxi_cX o c(0,a; c ,c) = P Xl _ cXcC {l,x c ,c) = -P Xc c{x c ,c) . 

Therefore, X\-c is uniform with respect to (C, Xc)- □ 

Lemma 6.4. if a protocol F implements (e,e)-WOT in the malicious model, 
then it implements (J) -ROT secure in the malicious model, with an error of at 
most e/2. 

Proof. Let A = {B}. From Lemma |Z61 follows that there exists {X' , X[), 
such that 

A((X ,X 1 ,V) ) (X^X[,V)) < e/2 

and Xq © X{ is uniform with respect to V. We choose Pc\x l ,x , l .v as pro- 
posed in Lemma 16.31 X[_ c is uniform with respect to (C, X' c , V), and, 
therefore, Xi-c is e/2-close to uniform with respect to (C, Xc, V). 

Let A = { A} . From Lemma l2~6l follows that C is ej 2-close to uniform with 
respect to U. 

The lemma follows now from Theorem l4.2l □ 
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6.1.3 Relation to Previous Definitions 

Difference to WOT from IDKS99, DFMS04I. Besides the fact that we 
only consider a randomized version of WOT, the difference of our defi- 
nition of (p, q, e)-WOT to the definitions used in HDKS99llDFMS04l is that 
we do not specify exactly what a malicious player may receive, but we 
only require that his output should not give too much information about 
the bits Xi-c an d C. This means that a malicious player may, for ex- 
ample, always receive whether an error occurred in the transmission or 
not, if that information is independent of the inputs. The most important 
difference is, however, that our definitions do not require that the error 
must occur independently of the event that a player gets side informa- 
tion, which is very important when we want to apply it. 

Lemmas 12.81 and l2l9l imply that our definitions still are quite close to the 
definitions from [DKS99, DFMS04J, because there exist events with prob- 
ability 1 — p and 1 — q, such that, if they occur, then the adversary does 
not get any side information. 

Connection to GWOT from IDFMS04I . In IDFMS04L Generalized WOT 

(GWOT) was introduced to improve the achievable range of the reduc- 
tions. It was shown in Lemma 3 in [DFMS04] that in the reductions they 
used, WOT can be replaced by a GWOT, if the probability to guess the 
bits Xi-c an d C, respectively, remain the same for the adversary. Since 
we defined WOT over the advantage to guess these values, Lemma 3 in 
| DFMS04J is not needed anymore, and therefore, at least for the moment, 
the use of GWOT does not give any advantage over WOT. 



6.2 Impossibility Results 

In this section we prove the impossibility result stated in [DKS99], that 
WOT cannot be amplified if p + q + 2s > 1. Note that the proof does 
not work for the definition of WOT used in HDKS991IDFMS04II . We start 
with the protocol SimWOT( p 9) (Comm) that implements (p, q, e)-WOT for 
p + q + 2e = l\n the semi-honest model. 



Protocol5. SimWOT A : 
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1. Choose (x' ,x[) £ {0, l} 2 uniformly at random. 

2. With probability q, send a = (x' ,x[) to Comm. Otherwise, send 
a = _L to Comm. 

3. Receive b. 

4. If b = J_ then output (xo,xi) := (x^a^). Otherwise, = (c, y) £ 
{0, l} 2 . Output (xo, xi), where x c := y and 

SimWOT B : 

1. Choose (c', y') € {0, l} 2 uniformly at random. 

2. Receive a. 

3. If a = _L then output (c.y) := {c',y') and send with probability 
p/(l — q) the value (c',y') to Comm, and _L otherwise. Otherwise, 
a = (xqjXj) £ {0, l} 2 . Send _L to Comm and outputs (c, y) := 

Lemma 6.5. Protocol SimWOT^ p q ){Comm) securely implements (p,q, (1 — 
p — q)/2)-WOTin the semi-honest model. 

Proof. Let E := Y © Xc- With probability q, B will adjust his output such 
that Y = Xc, and with probability (1 — q) -p/(l — q) = p, A will adjust her 
output such that Xc = Y. With probability 1 — p — q, the values (Xq, Xi) 
and (C, Y) will be chosen uniformly at random. Therefore, we have 

Pv[Y^X c } = (l-p-q)/2. 

When SimWOTA sends _L to Comm, then the value Xi_ c is uniform with 
respect (V, E). From Lemma \2 . 9 1 f olio ws that 

PredAdv(X!_ c \V,E)<q. 

When SimWOT B sends _L to Comm, then the value C is uniform with 
respect (U,E). From Lemma |Z91 follows that 

PredAdv(C \U,E) <p . 

□ 
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We need the following well-known fact. 

Lemma 6.6. There cannot exist a protocol P(Comm) that securely implements 
(^) -OT 1 in the weak semi-honest model. 

Theorem 6.1. For any p, q, und e with p + q + 2e > 1 and for any n, there 
cannot exist a protocol V((p 1 q,e)-WOT^ n \\Comm) that securely implements 
(^) -OT 1 in the semi-honest or the malicious model. 

Proof. From Lemma l3Tl follows that P is secure in the weak semi-honest 
model. Therefore, it would follow from Lemma [6.5l and Theorem l3.3l that 
the protocol 

P(SimWOT (M) (Comm) l|n ||Comm) 

would implement (J) -OT 1 from scratch in the weak semi-honest model, 
which contradicts Lemma [631 □ 



6.3 Basic Protocols for WOT Amplification 

We now present the three basic protocols that we use to implement ROT 
from WOT. The protocol R-Reduce allows for reducing the parameter p, 
and the protocol S-Reduce is used to reduce the parameter q. Both reduc- 
tions were already used in ICK881 IDKS991 IDFMS04I IHai04H , as well as in 
IHKN+051IMPW07I for building OT combiners. The protocol E-Reduce 
is used to reduce the parameter e. Whereas the other two protocols are se- 
cure in both models, E-Reduce is merely secure in the semi-honest model. 
The same protocol was also used in [Hai04] and is the one-way variant 
of the protocol E-Reduce presented in [DKS99J. Notice that since we de- 
fined WOT to be a randomized primitive, we are not able to choose the 
input, which makes the protocols slightly more complicated. 

We first present all protocols in the semi-honest model, and later give the 
proofs for the malicious model. 

6.3.1 In the Semi-Honest Model 

The protocol R-Reduce(WOT"" ||Comm) is defined as follows. 
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Protocol 6. R-ReduceA: 

1. Receive (xo,i, xi,i) from the ith WOT, for all i S {0, . . . , n — 1}. 

2. Receive eP -1 = (d , ■ • • , dn-2) rrom Comm. Set d n _ a := 0. 

3. Output (x , aci) := (©^Tq x diii , ©£T x di®x,i)- 

R-Reducee: 

1. Receive (q, from the ith WOT, for all i e {0, . . . , n — 1}. 

2. Send d 71-1 = (do, . . . , d„_2) to Comm, where d,- := c„_i © c*. 

3. Output (c, j/) := (cn-i,©^ 1 ^)- 



XQ,Xi 


R-Reduce A 




WOT 




R-Reduce B 


c,y 












d"- 1 


Comm 


d n - 1 







Lemma 6.7. The protocol R-Reduce((p, q, e)-WOr n \\ Comm) securely imple- 
ments (p', q', e')-WOTin the semi-honest model, where p' = 1 — (1— p) n < np, 
q' = q" < e-^ 1 -^, and e' = (1 - (1 - 2e)™)/2 < ne. 

Proof. Let E, := Y, © X Cijl , and J5 := Y © X c . We have 

n — 1 n — 1 n — 1 n — 1 

£ = rffii c = 0y,®0 Xoffici = 00^ © x Cl ,0 = • 

i=0 1=0 i=0 i=0 

Let ,4 = 0. Since Pr[-Ej = 1] < e, it follows from Lemma [Ol that 

Pr [£ = 1] < 1 ~ Q ~ 2g )" < n£ . 



Let ,4 = {B}, and let Vi be the auxiliary output to B from the ith instance 
of WOT{gi.. The auxiliary output of the protocol to B is V := V n . Since 

n— 1 n— 1 

-X"l-C : = ^l-AfflC/i = X\-d,i i 
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and because E is a function of E n , it follows from Lemmas 12. 7M2 , 1 Ol and 
El that 

PredAdv(X!_ c \V,E)< PredAdv(Xi_ c I V n ,E n ) 

n-1 

= J] PredAdv(Xi_ Ci) i I V h Ei) 

i=0 

<q n < e - n{1 - q) . 

Let A = {A}, and let Ui be the auxiliary output to A from the ith instance 
of WOT {A} . The auxiliary output of the protocol to A is U := (U n ,D n ~ 1 ). 
Because E is a function of E n , Lemmas l2.7ll2.11l and lA,9l imply that 

PredAdv(C* \U,E)< PredAdv(C | U n ,E n ,D n ~ 1 ) 

n-1 

< 1 — IX (1 — PredAdv(a I Ui,Ei)) 

i=0 

< 1 - (1 -p) n < np . 

□ 

We will also need a protocol S-Reduce that reduces the error p. To achieve 
this, we can simply use the protocol R-Reduce in the opposite direc- 
tion, together with the protocol ROTOR. We need the fact that Protocol 
ROTOR (WOT) implements WOT in the inverse direction. 

Lemma 6.8. Protocol ROTOR((p,q,e)-WOT) implements (q,p,e)-WOT in 
the opposite direction, secure in the semi-honest model. 

Proof. Let {X' Q ,X[,C', Y') be the output of ROT , and let (A , X U C, Y) 
be the output of ROTOR. Let U' be the auxiliary output to A by ROT {A} , 
and let V 1 be the auxiliary output to B by ROT{b}- The auxiliary out- 
put output to A by ROTOR is V = U', and the auxiliary output to B by 
ROTOR isU=V. 

LetE := Y@X C - It is easy to verify that E 1 = Y'@X' C , = E, and therefore 
that the correctness condition is satisfied. From Lemma 12 . 1 21 f olio ws that 

PredAdv(AV c \V,E) = PredAdv(Ai_ c ®(E®Y)\V, E) 
= PrcdAdv(A!_ c © X c | V, E 1 ) 
= PredAdv(C" \U',E')<p 
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and 

PredAdv(C \U,E) = PredAdv(X£ © X[ \ V, E') 

= PredAdv(X(_ c , © X' c , \ V', E') 
= PrcdAdv(A(_ c , | V',E') < q . 

□ 

We can, therefore, implement S-Reduce in the following way: We apply 
ROTOR to all n instances of WOT, then use R-Reduce in the opposite 
direction, and finally apply ROTOR to the resulting WOT. We get 

Lemma 6.9. Theprotocol S-Reduce((p, q, e)-WOT^ n \\ Comm) securely imple- 
ments (p', q' , e') -WOT in the semi-honest model, where q' = l — (l — q) n < nq, 

p' =p n < e- n ^-P\ and e' = (1 - (1 - 2e)")/2 < ne. 

Protocol E-Reduce(WOT l|n ||Comm) reduces the error e, and is defined as 
follows. 

Protocol 7. E-Reduce A : 

1. Receive (xo.i, x\ : i) from the ith WOT, for alH € {0, . . . , n — 1}. 

2. Receive cP -1 = (do, . . . , d„_ 2 ) from Comm. 

3. Send s? _1 ) = ((s ,o, • • • , s , n -2), (si,o, • • • , s hn - 2 )) to Comm, 
where s jti := x dzBj ^ © Xj, n -i. 

4. Output xq := xo, n -i and x\ := xi >n -\. 
E-Reduce B : 

1. Receive (c,, yi) from the ith WOT, for all a <G {0, . . . , n — 1}. 

2. Send eP -1 = (do, d n - 2 ) to Comm, where di := c„_i q. 

3. Receive (s^ -1 , s™ -1 ) from Comm. 

4. Output (c,y) := (c„_i, maj ({&})) where := y l © s c „_ li4 for i e 
{0, . . . , n - 2} and := j/ n _L 
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Xq,Xi 



E-Reduce A 


Xq , Xj 


WOT 


C !?/ 


E-Reduce B 




















n— 1 _n— 1 
*0 i *1 


Comm 


n— 1 „n-l 
s ' s l 





Lemma 6.10. Protocol E-Reduce((p,q,e)-WO^ n \\Comm) securely imple- 
ments (p', q', e') -WOT in the semi-honest model, where p' = l — (l—p) n < np, 
q' = 1 — (1 — q) n < nq and 

£ '= E (")e l (l-e) M <e- 2 " (1/2 - e)2 • 



Proof. Let := K ( © X Ciil/ and B:=7e X c . 

Let A = 0. We have Pr[^ = 1] < e. Since for i e {0, . . . , n - 2} 

Yi = Y, © S , c „_ 1 ,i = Vi © X Di& G n - u i © ^c„_!,n-i 
= Y t © X Ci ,i © X c = Ei © X c , 



it follows from Lemma lA.lOl that the protocol satisfies correctness with an 
error of at most 



Let A = {B}. Let Vi be the auxiliary output to B from the ith instance 
of WOT {B} . The auxiliary output to B is V = (D n - l ,S^~ 1 ,S^~ 1 ,V n ). 
Note that D n ~ x is a function of V n . Furthermore, S^T 1 is a function of 
(V n ,E n ), because 



= f 2 © E t © r„_i © , 



for all i. Since 



Xi-c = Xi-c,n-l — £l-C,i © -X'l-^eC.t = Sl-C,i © -Xl-C«,» j 
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Lemmas EZl 12.111 and IA.9I imply 

PredAdvpfi_c \V,E)< PredAdv(Xi_ c | V n ,E n ,S^) 

n-l 

< 1 — II (1 — PredAdv(Xi_ Ci ,i | V it Ei)) 

i=Q 

< 1 - (1 - q) n < nq . 

Let A = {A}, and let Ui be the auxiliary output to A from the ith instance 
of WOT {A} . The auxiliary output of the protocol to A is U := (U n ,D n ~ 1 ). 
Because E is a function of E n , it follows from Lemmas 12.7112. Ill and IA. 91 
that 

PredAdv(C \ U,E)< PredAdv(C | U n ,E n ,D n ~ 1 ) 

n-l 

< 1 - IJ 0- - PredAdv(C< | U u E t )) 

i=0 

< 1 - (1 -p) n < np . 

□ 



6.3.2 In the Malicious Model 

We will now show that the protocols R-Reduce and S-Reduce are also 
secure in the malicious model, for the same parameters as in the semi- 
honest model. 

Lemma 6.11. Protocol R-Reduce((p, q)-WOT^ n \\ Comm) securely implements 
(p' ,q')-WOT in the malicious model, where p' = 1 — (1 — p) n < np and 

q' = q n < e~ Ml - q \ 

Proof. Let A = %. It is easy to verify that X , X\, and C are uniformly 
distributed. Further, we have 

n—1 n — 1 n—1 

Y = Y i = *<h,i = © X DteC ,i - X c . 

i=0 i=0 i=0 

Hence, the protocol achieves correctness. 
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Let A = {A}, and let U be the transcript of the interaction with player A 
by the ith instance of WOT. The transcript of the interaction with A of the 
protocol is U := (U n , D"" 1 ). From Lemma EH and follows that 

PredAdv(C* | U) < PredAdv(C | U n ,D n ~ l ) 

<1- Y[(l-PredAdv(Ci \ U)) 

i=0 

< 1 - (1 -p) n < np . 

Let A = {B}, and let Vi be the transcript of the interaction with player 
B by the ith instance of WOT. The transcript of the interaction with B of 
the protocol is V := (V n , I?™" 1 ). Note that since D n ~ x is a probabilistic 
function of V it can be ignored. It follows from Lemmas l2.10l and lA.4l that 

(n-l n-l \ 

0^0,^0^,61,, | V n \ 
i=0 i=0 / 

< PredAdv ^0( X o.* © X hi) I vA 

n-l 

= JJ PredAdv(X ,i © | Vt) 

i=0 

< q n < e"" (1_9) . 

□ 

The proof that ROTOR(WOT) implements WOT in the opposite direction 
is very simple. 

Lemma 6.12. ROTOR((p, q, e)-WOT) implements (q,p, e)-WOTin the oppo- 
site direction, secure in the malicious model. 

Proof. It is easy to verify that the correctness condition is satisfied. Fur- 
thermore, we have 

PredAdv(A ®X X \U) = PredAdv(C" | U) < p 

PredAdv(C* | V) = PredAdv(X£ @ X[\V) < q . 



□ 
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In the same way as in the passive case, we can implement S-Reduce by 
first applying ROTOR to all n instances of WOT, then use R-Reduce in 
the opposite direction, and by finally applying ROTOR. We get 

Lemma 6.13. Protocol S-Reduce((p, q)-WOT' n \\ Comm) securely implements 
(p' ,q')-WOT in the semi-honest model, where q' = 1 — (1 — q) n < nq and 

p' = p n < e~ n ^- p \ 



6.4 WOT Amplification if e = 

We will now present several protocols that implement ROT from WOT. 
We start with the special case where p, q > 0, but e — 0. In [DKS99J, 
a protocol for this case is presented that works for all values p and q if 
p + q < 1, which is optimal. We present a slightly simplified protocol and 
give a more detailed analysis of its efficiency. 

The main part of the reduction is the following lemma, which shows that 
we can implement a (p' , q')-\NOT out of 4 instances of (p, q)-\NOT, where 
the value 1 — (1 — p — q) 2 is squared. 

Lemma 6.14. Let f(p, q) := 1 — (1 — p — q) 2 , and let p + q < 1. We can 
securely implement (p', q')-WOTout of '4 instances of(p, q)-WOTwith 

f(p',q')>f(p,q), 
secure in the semi-honest and the malicious model. 



Proof. It suffices to show that 



l-p - q >^2-(l-p-q) 2 -{l-p-q) , 

since then 

f(p',q') = l-(l-p' -q') 2 

<l-(2-(l-p-q) 2 )(l-p-q) 2 
= f 2 (p,q)- 



Twice, we apply either the protocol R-Reduce(WOT" 2 ||Comm) or proto- 
col S-Reduce(WOT" 2 ||Comm), such that each time the larger of the two 
parameter gets reduced. 



6.4. WOT Amplification if e = 
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Since the protocols are symmetric, we can assume that p > q. Therefore, 
the first protocol that will be applied is S-Reduce. We have to distinguish 
between two cases. If p 2 > 1 - (1 — q) 2 = 2q — q 2 , then also the second 
protocol is S-Reduce, and, therefore, 

p'=p\ q' = l-(l-qf. 

Let 

l-p'-q' _ {l-qY-p' 



h(p,q) ■ 



l-p-q 1-p-q 
= p 3 +p 2 (l-q) + (l-q) 2 p+(l-qf 



and 

91 (P, q) ■= fl (p, 9) - (1 + P - q) = (P 2 - 2<Z + q 2 ) (1 + P - q) ■ 

We will now show that fi (p, q) > y^2 — (1 — p — q) 2 if p 2 > 2q — q 2 . Since 
for < p < 1 and < q < 1, we have 1 + p - q > 0. It follows that 
9i {p, q) > for all p and q that satisfy p 2 >2q — q 2 and, therefore, also 

> 1 +P- q 



for all these values. Hence, it suffices to show that 

l+p-q > ^2- (l-p-q) 2 

forp 2 >2q-q 2 . 

Let us fix the value d := 1-p-q. We have 1 + p — q = 2p + d, and 
thus 1 + p — q is minimal for p 2 = 2q - q 2 . It is taken on by the values 
qo and po = \/2qo — q 2 , which can be calculated by solving the equation 

^J2q -ql + qv = 1 -d, which is equal to 2q 2 - (4- 2d)q + (1 - 2d+d 2 ) = 0. 
We get 

(4 - 2d) - v /(4-2d) 2 - 4-2- (l-2d + d 2 ) 2-d- V2~~d 2 
qo = 1 = 2 ' 

So, for p + q = 1 - d, we have 

flip, q) > 1 + (1 - d - q ) - q = 2 - d - (2 - d - ^2-d 2 ) - ^2 - d 2 . 
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If p 2 < 2q - q 2 , the second protocol will be R-Reduce, and, therefore, 

p> = l-(l-p 2 ) 2 = 2p 2 -p\ 

q ' = (l-(l- q ) 2 ) 2 =A q 2 -A q 3 + q\ 

Let 

, , , l-p'-q' l-2p 2 +p 4 -Aq 2 + Aq 3 -q 4 
f2(P,q) ■= -. = : 

l-p-q 1-p-q 
= q 3 - 3q 2 - q 2 p + q + 2qp + qp 2 + 1 + p - p 2 - p 3 . 



We will now show that / 2 (p, q) > \f2 - d 2 for p 2 <2q + q 2 . Let 

92(p, q) ■= / 2 (p, q )-(l+p- q ) = (p 2 -2 q + q 2 )(q - p - 1) , 

which is equal to if p 2 = 2 q + q 2 . Therefore, we have 

f2(p,q) = l+p-q = f\{p,q) 

for all p and q that satisfy p 2 = 2 q + q 2 . Again, let us fix d := 1-p-q and 
let 

h2(q) ■= .Ml -d-q,q) 

= 4q 3 - (12 - 6d)q 2 + (8 - I2d + Ad 2 )q + Ad - Ad 2 + d 3 . 

We differentiate h 2 (q) twice, and get 

h' 2 {q) = 12q 2 - (24 - 12d)q + 8 - I2d + Ad 2 , 
/12(g) = 24^-24- I2d. 

Since h'^q) < 2Aq - 24 < for q < 1, h 2 (q) is concave for < q < 1 
and p 2 < 2q + q 2 . It will therefore take on its minimum on a point on the 
bound. One one side, we have p 2 = 2q - q 2 , and therefore q (see above) 
is the value on the bound, for which we have h 2 (qo) = V2 — d 2 . On the 
other side, q\ = (1 — d)/2 is the value on the bound, for which we have 

ft 2 ((l-d)/2) = ^. 

For all d we have 



3-d 2 _ (d 2 - 1) 



+ (2 - d 2 ) > ^2-d 2 , 

so the minimum is always in q . Therefore, both fi(p, q) and f 2 (p, q) take 
on their minimum in (1 — d — qo, qo), and are always larger than \J2 — d 2 . 
The statement follows. □ 
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Theorem 6.2. Let p(k) and q(k) be functions computable in time poly(fc) such 
that p(k) + q(k) < 1 for all k. (2~ k ,2~ k )- WOT can efficiently be implemented 
using 

2-k 2 
(\-p(k)-q(k)Y 
instances of(p, q)-WOT, secure in the semi-honest and the malicious model. 



Proof. We apply t times Lemma 16.141 which gives us a (p' , q')-VJOJ with 
f(p',q') < f [2t) {p,q)- Using Lemmas E3 and ESI we get 

p' + q 1 = \- v/T75W) < i - ^-! {2t) (p,q) < / (2 ' } (p, ?) 

< exp(-2 t (l - f(p, q))) = exp(-2 4 (l - p - qf) . 
To satisfy p 1 + q' < 2~ k , we choose 

-ln(2- fc ) \\ ^ / ln(2)-A 



log 



<log 



Our protocol requires 



4' < 



4 -In (2) -k 2 



< 



{l-p-qf 



2-k 2 



+ 1 . 



{1-p-qY ~ (l-p-q) 4 



instances of (p, q)-\NOT. 



□ 



OT-Combiners. As shown in IH KN+051IMPW07I , Theorem E21 can be 
used to implement an efficient (a, /3; n)-robust oblivious transfer combiner. 
We have n different implementations of OT, out of which a are secure for 
the sender, and (3 are secure for the receiver, where a + f3 > n. Choosing 
randomly one of these n different implementations of OT and using ran- 
dom inputs implements a (p, g)-WOT for p = (n— (3)/n, and q = (n~a)/n. 
Since 1 — p — q > l/n, we can implement a (2- k , 2~ fc )-WOT using 2k n 
instances of the weak implementations of OT, and common randomness. 



6.5 WOT Amplification if p = or q = 



We will now look at the special case where e > 0, but either p = or 
q = 0. This special case has not been considered in [DKS99]. There is a 
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strong connection of this problem to the one-way key-agreement problem 
studied in [HR05 . Hol06]|, as well as to the statistical-distance polarization 
problem studied in ISV99UVad99t 

We will make the amplification in two steps. First, in Lemma [6.151 (which 
is related to Lemma 4.13 in [Hol06|), we implement a WOT with constant 
errors. In Lemma[67l6](related to Lemma 4.1 in [SV99Q, we show how the 
error can be made arbitrarily small. 

Lemma 6.15. Let q(k) and s{k) be functions computable in time poly(fc) such 
that ^/qjk) + 2e{k) < 1 for all k. Let 

A:=maX ( 1 'log((l-2 e )V 9 )) ' 
Then (0, 1/3, l/50)-WOTcan efficiently be implemented using at most 

128A 
(1 - 2e)( 12 *) 

instances o/(0, q, e)-WOT secure in the semi-honest model. 



Proof. Let a = 1 - 2e and 8 = max(g, a 2 /2). Note that A = 1/ log(a 2 //3). 
We use 

G = R-Reduce(F l|s ||Comm) , 
H = E-Reduce(G l|r ||Comm) 

for s := [5A] and r := |~l/(4/3 s )~|. Notice that s < 5A + 1 < 6A. Further, 
since s > 5/log(a 2 /^) > 5/log(l//3) = log /3 (l/32), we get 

1 1 + 43 s 1 + 4/32 9 1 
r < h 1 = — < — = < . 

48 s 4/3* 4/3 s 32/3 s 3/3 s 

Using Lemmas E7| and [6l0l we get that G is a (0,8', (1 - a')/2)-WOT 
with 8' = 8 s and a 1 = a s , and H is a (0, q" , e")-WOT with 

e" < exp ^-2r Q - ^) ) < cxp (-r^- 
/ a 2s \ ( 1 (a 2 

^ x H"^J =exp UU 

< exp {-h losia2/0) ^/v \ = exp (-32/8) < 1/50 
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and, using that r < l/(3/3 s ), we get q" < r(3' < r/3 s < 1/3. 
Finally, the number of instances used is s ■ r, which is at most 

1 2A 128A 

since 2 1 / x = a 2 / (3 and thus (3 6X = a 12A /64. □ 
Lemma 6.16. (0, 2~ fc , 2~ k )-WOT can efficiently be implemented using 

116 • log(20fc) • k los3+1 = O (fc 2 6 ) 
instances o/(0, 1/3, 1 / '11) -WOT secure in the semi-honest model. 



Proof. Let/3 = 1/3, and a = 1 - 2 • 1/11 = 9/11. Let£ = [log(4fc + 4 log k)] 
and m = 3 £ /2. We use the reductions 

G = R-Reduce(FH f ||Comm) , 
H = E-Reduce(GH m ||Comm) , 
I = R-Reduce(H l|fc ||Comm) . 

Using Lemmas 1671 and l6l0l and since F is a (0, /3, (1 - a)/2)-WOT, G is a 
(0,/3', (l-a')/2)-WOT, where =/3 £ and a' =a e . H is a (0, (3" , e")-WOT 
with 

0" < m/3' = 3 e /2 ■ (1/3)' = 1/2 

and, since 3 • a 2 > 2, 

= exp M 3 '" 2 )^ < cxp (-L^ < exp (-* - log*) < 2- fc - logfc 



4 / \ 4 , 

Finally, I is a (0, /?'", e'")-WOT with e'" < /s2- fc - lo s fc = 2~ fe and /?"' < 2- fc . 
From Lemma |A]4] follows that 

4fc + 41ogfc = 4fc + 41n(fc)/ln(2) < 4k + (4fc - l)/ln(2) < lOfc . 
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The number of instances used is, using Lemma IA.4I 

t-m-k< (log(4fc + 4 log A;) + 1) • 3^(^+4 log fc)+i . k 

< (log(lOfc) + 1) • 3 ■ (10fc) log3 • k 

< 116 • log(20fc) • fc log3+1 = O (fc 2 6 ) . 

□ 

Combining Lemma |6 . 1 5 1 and Lemma [6.161 we get the following theorem. 

Theorem 6.3. Let q(k) and e(k) be functions computable in time poly(fc) such 
that y/q{k) + 2e(k) < 1 for all k. Let 

1 



A := max 1, 



log((l-2 £ )2/g). 
(0, 2~ k , 2~ k )-WOT can efficiently be implemented using at most 

of fc26A ) 

instances of (0, q, e)-WOT secure in the semi-honest model. 

Since R-Reduce and S-Reduce are symmetrical, we immediately get 

Corollary 6.1. Let p(k) and e(k) be functions computable in time poly (fc) such 
that y/p(k) + 2e(k) < I for all k. Let 

A := max 1, • 



log((l-2e)7p), 
(2~ fc , 0, 2~ k )-WOT can efficiently be implemented using at most 

of fc26A 

\(1 -2e)( 12A ). 
instances of(p, 0, e)-WOT secure in the semi-honest model. 

Since any protocol (using our basic protocols) for the special cases where 
either p = or q = can directly be translated into a one-way key- 
agreement protocol for distributions studied in [HR05|, it follows from 
Theorem 4 in [HR05J that using our basic protocols, this is the best bound 
that we can achieve. However, it is not clear whether other reductions, 
would be able to achieve a better bound. 



6.6. WOT Amplification if p,q,e > 0. 
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6.6 WOT Amplification if p,q,e > 0. 

To find an optimal protocol for the general case where all three parame- 
ters are non-zero turns out to be much harder than the other three special 
cases. It is still unknown what the exact bound is in this case. In this 
section we present some partial results. 

We start with the case where all values are non-zero, but smaller than 
1/50. 

Lemma 6.17. (2~ k , 2~ k , 2 fc )- WOT can efficiently be implemented using 

175 ■ fc 2+1 °s( 3 ) < 175 • fc 36 
instances of (1/50, 1/50, 1/50) -WOT secure in the semi-honest model. 

Proof. We set F := (p, q, e)-WOT and iterate the reduction 

F i+ i := S-Reduce(R-Reduce(E-Reduce(F| 3 ||Comm) l|2 ||Comm) l|2 ||Comm) , 

until Fj is a (pj, qj, £j)-WOT with max(pj, qj, ef) < 2~ k . In every iteration, 
we have Pl+1 < (2 ■ (3 Pl )) 2 = 36pf, q l+1 < 2 • ((Sq.,) 2 ) = 18qf, and e l+1 < 
2 ■ 2 ■ (3e 2 - 2e 3 ) < 12e 2 , from which follows that 

. 1 1 (i&\ 23 / 36 x 2 

max p,-,fl,-,e, < 36 • — — = — — < — 
3 ' ~ 50 23 36 V50y " V50 

To achieve m&x(pj, qj,sf) < 2~ k , we choose 

k 



J 



log- 



< log(2.1101 • fc) + 1 = log(4.2202 • fc) 



log(50/36) 

To implement one instance of Fj, we need at most 

12 j < (4.2202 • fc)'°s( 12 ) < 175 • fc 2+1 °s( 3 ) < 175 • fc 3 6 
instances of F . □ 

We will now give a similar bound as in Lemma 5 in [DKS99|, which was 
p + q + 2e < 0.45. But since our protocol E-Reduce is different, we are 
only able to achieve a smaller bound. As in [DKS99J, we are only able 
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to obtain our bound using a simulation. Our simulation works as fol- 
lows: Let h(p,q) be a function such that for all p, q and e < li(p,q), 
(1/50, 1/50, 1/50)-WOT can be implemented using (p, q, e)-WOT. Using 
k (p, q), we define 

E- l {k{E v (p),E q { q )))) , 

where 

S p (p):=p 2 , S q (q) := 1 - (1 - qf , S^e) := (1 - x/T^2i)/2 , 

i? p (p):=l-(l-p) 2 , i? 9 (g):=g 2 , i?- 1 ^) := (l-x/T - 2^)/2, 

£ p (p) := 1 - (1 - p) 3 , £,(g) := 1 - (1 - g) 3 , 
and is the inverse of E £ (e) := 3e 2 — 2e 3 . 

Now, for all p, q and e < Z i+1 (p, g), (1/50, 1/50, 1/50)-WOT can be im- 
plemented using (p, q, e)-WOT, since applying one of the three protocols 
S-Reduce((p, q, £)-WOT l|2 ||Comm), R-Reduce((p, q, e)-WOT l|2 ||Comm), or 
E-Reduce((p, q, £)-WOT l|3 |jComm)) gives us an instance of (p', q', e')-WOT 
with e' < k(p',q'), from which (1/50, 1/50, 1/50)-WOT can be imple- 
mented. 

Obviously, Z (p, q) '■= (0.02 — p — q)/2 satisfies our condition. Iterating 8 
times, we get i 8 (p, q), where for all p, g we have Zg(p, q) > (0.15 — p — g)/2. 
Using Zq(p, g) := (0.15 — p — g)/2 and iterating 11 times, we get Z' n (p, g), 
were for all p, g we have Z' n (p, g) > (0.24 — p — g) /2 (See also Figure [672t . 

Lemma 6.18. Ifp+q+2e < 0.24, t/zew (1/50, 1/50, 1/50)- WOT can efficiently 
be implemented using O(l) instances of(p, q, e)-WOT, secure in the semi-honest 
model. 

We will now further extend this result and give bounds for the cases 
where one of the three values is large, while the others are small. 

Lemma 6.19. Ifp + 22g + 44e < 1, then (p', g', e')-WOTwith p' + q' + 2e' < 
0.24 can efficiently be implemented using 4/(1 — p) instances of(p, g, e)-WOT, 
secure in the semi-honest model. 



6.6. WOT Amplification if p,q,e > 0. 
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1 



Figure 6.2: Plot of the bounds e = l'n(p, q) and p + q + 2e = 0.24. 



Proof. We apply 



F = S-Reduce((p, 9 ,£)-WOT ll "||Comm) 

for an n > such that F is a (p', q', e')-WOT with p' + q' + 2s' < 0.24. 
Using Lemma 16.91 we need to find a value n and constants a and with 
a+(3 < 0.24, such that e _ "( 1_p ' < a andnq+2ne < (3, which is equivalent 
to n(l — p) > ln(l/a) and q + 2s < (3/n. We can choose 



ln(l/q) 
1-P 



< 



ln(l/a) 



1 < 



ln(l/a) 



1 



1 — p 1 — p 

The first inequality is satisfied by definition of n, and the second if 

0(i 



2e< 



ln(l/a) + 1 



which is equivalent to 



ln(l/q) + 1 





(q + 2e)+p< 1 



Choosing a = 0.05, and = 0.19, we get (ln(l/a) + l)/0 < 22. Our 
protocol needs n < 4/(1 — p) instances. □ 
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In the same way, we get 

Lemma 6.20. If22p + q + 44e < 1, then (p', q', e') -WOT with p' + q' + 2s' < 
0.24 can efficiently be implemented using 4/ (1 — q) instances of(p, q, s)-WOT, 
secure in the semi-honest model. 



The proof of Lemma [6]20] is omitted, as it can be done in the same way as 
the proof of Lemma 16.191 

Lemma 6.21. If 7y/p~+q + 2e < 1, then (p 1 ,q' ,e')- WOT with p' + q' + 
2e' < 0.24 can efficiently be implemented using 3(1/2 — e)~ 2 instances of 
(p, q, e)-WOT, secure in the semi-honest model. 



Proof. We apply 

F = E-Reduce((p, 9 ,£)-WOT l|n ||Comm) 

for an n > such that F is a (p\ q', e')-WOT with p' + q' + 2s' < 0.24. 
Using Lemma 16.101 we need to find a value n and constants a and (3 with 
2a + (3 < 0.24, such that e -2n(i/2- e ) 2 <- Q and np + nq < ^ wn i c h is 
equivalent to 2n(l/2 — e) 2 > ln(l/a) and p + q < j3/n. Furthermore, we 
need e < ^ We choose 



ln(l/a) 
2(1/2 -e 



< 



ln(l/q) 
2(1/2 -e 



1 < 



1ii(1/q) + 1/2 
2(1/2 -e) 2 



The last inequality follows from the fact that 2(1/2 — e) 2 < 1 /2. The first 
inequality is satisfied by definition of n, and the second if 



p + q 



< 



2/9(1/2 -e) 2 
ln(l/a) + 1/2 ' 



which is equivalent to 



'21n(l/a) + 1 



'3 



Vp + q + 2e < 1 



Choosing a — 0.02 and j3 — 0.20, we get 



'21n(l/a) 







< 7 



Our protocol needs n < 3(1/2 — e) 2 instances. 



□ 



6.6. WOT Amplification if p,q,e > 0. 
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Theorem l6.4l summarizes all the partial results we obtained in this section. 

Theorem 6.4. Let p(k), q(k) and s(k) be functions computable in time poly (fc) 
such that 

p + q + 2e <0.24, 

or 

min(p + 22q + 44e, 22p + q + 44e, 7^p + q + 2e) < 1 
for all k. Then (2~ k , 2~ k , 2~ k )-WOT can efficiently be implemented using 

( k™ \ 

\{l-p){l-q)(l/2-ef) 

instances of(p, q, e)-WOT secure in the semi-honest model. 

Proof. Follows directly from Lemmas l618l[6Tl9l [6201 and lOTl □ 

Since Theorem 16.21 gives us a bound on the number of instances used, we 
can also bound the error probability, and therefore, we can extend the 
result of Theorem |62] to allow for a (small) error. 

Corollary 6.2. Let p{k), q(k) and e(k) be functions computable in time poly (fc) 
such that 

(1 - p - qf < -178 • log(l - 2s) 
for all fc. Then (2~ k ,2~ k , 2~ k )-WOT can efficiently be implemented using 

of k3e ) 

instances of(p, q : e)-WOT, secure in the semi-honest model. 

Proof. We apply the reduction used in Theorem 16. 21 for fc = 5. We get 

p' < 2~ 5 , q' < 2~ 5 , and s' < (1 - (1 - 2e) n )/2, for n = 50 • (1 -p - g)~ 4 . 
We have 

log(l - 2e') = n log(l - 2s) = 50 • (1 - p - q)^ ■ (1 - p - q) 4 / '-178 
= -50/178 

and therefore 

p' + q' + 2s' < 2 ■ 2~ 5 + (1 - 2- 50 / 178 ) < 0.24 . 
The statement follows now by applying Lemmas 16 . 1 71 and 16.181 □ 
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6.7 Discussion and Open Problems 

We have presented several protocols that implement ROT from many in- 
stances of WOT. For the special case where e = 0, we were able to achieve 
the optimal bound, and when either p = or q = 0, we were at least able 
to give protocols which achieve the optimal bound for the basic protocols 
that we use. 

However, for the general case, we still do not have very satisfactory re- 
sults. One of the main difficulties is that we do not know exactly which 
of the basic protocols needs to be applied in which situation. To be able 
to do that, we would need a better understanding of how these protocols 
work together. 

There are still many open problems concerning WOT amplification. Here 
are some of them: 

• Can we improve the impossibility bound? 

• For what parameters of WOT can we implement ROT with our basic 
protocols? How many instances do we need? 

• Are there other basic protocols that give better bounds? Is it pos- 
sible to use (a modified version of) the protocol E-Reduce from 
[DKS99J? Is it possible to reduce two parameters at the same time? 

• Is there a (simple) way to make E-Reduce secure in the malicious 
model? 

• Can GWOT be used to improve WOT amplification? 

• Is it possible to define WOT in another, more general way? 

• How do we have to define WOT in a multi-party setting? 



Chapter 7 



Computational Weak 
Oblivious Transfer 



In this chapter we show how an OT which may contain errors and which 
is only mildly computationally secure for the two players can be amplified 
to a computationally-secure OT. In particular, we show in Theorem 17.21 
— using Holenstein's uniform hard-core lemma |Hol05, H0IO6J, which is 
a uniform variant of Impagliazzo's hard-core lemma [Imp95| — that if 



WOT can be amplified to ROT in the information-theoretic setting, then 
also the corresponding computational version of WOT can be amplified 
to a computationally-secure ROT, using the same protocol. 

Our results generalize the results presented in [Hai04], as we cover a 
much larger region for the values p, q and e, and in our case the secu- 
rity for both players may be computational. 



7.1 Preliminaries 



In the following, k € N is always the the security parameter. We say that 
a function / : N — > N is polynomial in k, denoted by poly(fe), if there exist 
constants c > and ko, such that f(k) < k c for all k > fco- A function 
/ : N — > [0, 1] is negligible in k, denoted by negl(fc), if for all constant c > 
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there exists a constant ko, such that f(k) < k~ c for all k > k^. A function 
/ : N — * [0, 1] is noticeable if there exit constants c > and fc such that 
f(k) > k~ c for all k > fco- An algorithm £? which has oracle access to an 
algorithm A will be denoted by B A . 

We will need the following lemmas, which are, when put together, the 
computational version of Lemma [2~6l 

Lemma 7.1. Let functions f : {0, l} fc -> {0, 1}*, P : {0, l} fc -> {0, 1}, and 
a distribution Pw over {0, l} fc fee given. There is an oracle algorithm such 
that, for any algorithm A where 



where W is distributed according to Pw and U is uniformly distributed, algo- 
rithm B A satisfies 



does one oracle call to A, and computes one XOR. 

Proof. On input f(w), let algorithm B A choose a bit u uniformly at ran- 
dom and output A(f(w), u) ® u © 1. Let 



The output of B A is correct either if U = P(W) and the output of A is 1, 
or U ^ P(W) and the output of A is 0. We get 



Pv[A(f(W), P(W)) = 1] - Pr[A(f(W), U) = l]=e 



PYlB A (f(W))=P(W)} = ±+e 



g(w,u) :=Pv[A{f(w),u) = 1] . 





g(w, P{w)) - g(w, 1 - P(w)) 



W 




) 



= - + Pr[A(f(W), P(W)) = 1] - Pv[A(f(W), U) = 1] 



= - + Adv A (f(W), P(W)), (f(W), U) . 



□ 
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Lemma 7.2. Let functions f : {0, l} k -> {0, 1} £ , P : {0, l} fc -> {0, 1}, and 
a distribution Pw over {0, l} fc be given. There is an oracle algorithm such 
that, for any algorithm B where 

Pv[B(f(W))=P(W)]=^+s, 

we have 

AdV 4 * (f(W), P(W)), (f(W), U)=e, 

where W is distributed according to Pw and U is uniformly distributed, does 
one oracle call to A, and computes one XOR. 

Proof. On input (f(w),b), let Algorithm A output B(f(w)) © b © 1. If b 
is a uniform random bit, than we have Pr[A B (f(w), b) = 1] = 1/2, and 
if b = P(w), then Pr[A B (f(w),b) = 1] = 1/2 + e. Therefore, we have 
Adv AB ((f(W),P(W)),(f(W),U))=e. □ 



7.2 Pseudo-Randomness Extraction 



In this section we state a pseudo-randomness extraction theorem, Theorem 
17.11 that we need later to prove our main theorem of this chapter, The- 
orem 17.21 Theorem 17.11 is based on the uniform hard-core lemma BHol05l 
H0IO6J, which is a uniform variant of the hard-core lemma from |Imp95|. 

Lemma 7.3 (Uniform hard-core lemma [Hol05, Hol06|). Let the functions 
f : {0, l} k -> {0, 1} 1 , P : {0, l} k -> {0, 1}, 5 : N [0, 1] and 7 : N -> [0, 1] 
computable in time poly(fc) be given, such that 7 and 8 are noticeable. Assume 
that there is no polynomial time algorithm B such that 

Pv[B(f(W)) = P(W)\ >i-i + ^, 

where W is chosen uniformly at random from {0, l} fe , for infinitely many k. 
Then, there is no polynomial time oracle algorithm A^'^such that for infinitely 
many k the following holds: For any set S C {0, l} k with \S\ > 82 k , 

Pr[A^(f(W))=P(W)]>^, 



1 j4v) has oracle access to the characteristic function \s of the set S, which is defined as 
Xs( w ) ■= 1 if w £ S and xs( w ) '■= otherwise. 
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where W is chosen uniformly at random from S and the queries of A to xs are 
computed independently of the input f(W). 

Theorem l7.1l is a modified version of Theorem 7.3 in |Hol06] and differs 
from it in two points. First, we simplified it by omitting the function q(w) 
that indicates whether w is valid, because in our setting all w are valid. 
Second, we allow the functions Ext and Leak to depend on the value Z n , 
and not only on X n . The proof of Theorem l7.1l is basically the same as the 
proof of Theorem 7.3 in |Hol06J. Notice that in the proof of Theorem 7.3 
in |Hol06J there is a step missing before equation (7.8), which is fixed in 
our proof. 

The main difference of Theorem 7.3 in [Hol06| and our Theorem[7J] com- 
pared to the (implicit) extraction lemma in |Has90, HILL99| and the ex- 
traction lemma in [HHR06] is that it allows the adversary to gain some 
additional knowledge during the extraction, expressed by the function 

Leak. 

Theorem 7.1 (Pseudo-randomness extraction theorem, [Hol06]). Let the 

functions f : {0, l} k -> {0, l} e , P : {0, l} k -> {0, 1}, and f3 : N [0, 1], all 
computable in time poly(fc), be given, and let 1 — (3{k) be noticeable. Assume 
that every polynomial time algorithm B satisfies 

Pr[B(f(W)) = P(W)} < l±ML 

for all but finitely many k,for a uniform random W € {0, l} fc . Further, let also 
functions n(k), s{k), 

Ext : {0, l} t n x {0, 1}™ x {0, 1} S -> {0, 1}* , 
Leak : {0, 1} £ " x {0, 1}" x {0, 1} S -» {0, 1}*' , 

be given which are computable in time poly(fc), and satisfy the following: For 
any distribution Pxz over {0, 1} x {0, 1} £ where PredAdv(X | Z) < (3(h), 
Ext(Z™, X n , R) is e(k)-close to uniform with respect to Leak(Z™, X n , R),for 
R G {0, 1} S chosen uniformly at random. Then, no polynomial time algorithm 
A, which gets as input 

Leak((/(Wb), . . • , /(W„_i)), (P(W ), P(W n _i)), R) , 
(where (Wi, . . . , W n ) is chosen uniformly at random) distinguishes 



Ext((/(W ), . . . , /(W„-i)), (P(W ), P(W n _i)), R) 
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from a uniform random string of length t with advantage e(k) + ^{k),for any 
non-negligible function j(k). 

Proof. Let us assume there exists an algorithm A that contradicts our as- 
sumption. We will use A to construct an oracle algorithm A xs for which 
the following holds for infinitely many k for a noticeable function 7'. For 

any set S C {0, l} fe with \S\ > (1 - /3(fc))2 fe , we have 

Pr[A xs (f(W))^P(W)}>^, 

where the probability is over the randomness of A xs , W is chosen uni- 
formly at random from {0, l} fe , and A xs calls \s only with queries which 
are computed independently of the input. 

Since j(k) is non-negligible, there exists a constant c, such that j(k) > k~ c 
for infinitely many k. Let 7* (k) :— k~ c . 7* (k) is a noticeable function with 
7*(fc) < 7(fc) for infinitely many k. 

For any fixed j e {0, . . . , n} and any fixed set S C {0, l} fc with |«S| > 
(1 — /3)2 fc , we define the following values. For all i G {0, . . . , n — 1}, 
we choose Wi € {0, l} k and u t G {0, 1} uniformly at random. Then we 
compute 

( P(wi) ifi> j or Wi^S, 
[ it, otherwise , 

Ext((/( Wl ),...,/K)),y",r) , and (7.2) 
Leak((/(ioi), . . . , /(«;„)), y n , r) , (7.3) 

where re{0,l} s is chosen uniformly at random. 

Let PejLj be the distribution of (ej,£j). From our assumption follows that 

Adv A ((E ,L ),(U 1 L ))>e + 1 * 

for infinitely many k, where U € {0,1}* is chosen uniformly at random. 
On the other hand, for j = n, with probability 1 — j3 (over the choice of 
Wi) we have yi = Ui, and therefore, by Lemma IZ8l PredAdv(Y; | /(Wi)) < 
/3. The information-theoretic requirement on the functions Ext and Leak 
imply that E n is e-close to uniform with respect to L n and therefore 

Mv A {{E n ,L n ),{U,L n )) <e. 
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The triangle inequality implies 

Adv A ({E 0l L ), (E n ,L n )) + Adv A ((U, L ), (U, L n )) > 7* 

for infinitely many k. It follows that at least one of the four inequalities 

Pr[A(E ,L ) = 1] - Pv[A{E n ,L n ) = 1] > 7 */2, Pr[A(E n ,L n ) = 1] - 
Pr[A(£;o, L ) = 1] > 7*A Pr[A(C7, L„) = 1] - Pr[A([/, L n ) = 1] > 7 */2, or 
Pr[A(C7, L„) = 1] - Pr[A([7, L ) = 1] > 7*/2 holds for infinitely many k, 
from which follows that there exists an algorithm A' such that 

Pi[A'(E ,L ) = 1] - PrL4' = 1] > 1 — 

for infinitely many k. For a J 6 {0,...,)i- 1} chosen uniformly at ran- 
dom, we have 

PrtA'^j, Lj) = 1] -Pr[A'(E J+1 ,L J+1 ) = 1] > j- 

for infinitely many k. We can now give an implementation of a distin- 
guisher which distinguishes (f(W), PiW)) from (f(W), U) with advan- 
tage 7*/(2n) for infinitely many k, if W is chosen uniformly from S and 
[/ is a uniform random bit, as long as oracle access to xs is given. Let 
(f(w), b) be the input to the distinguisher. It chooses j € {0, . . . , n — 1}, 
and for all i € {0, . . . , n — 1} the values Wi <E {0, l} fc and Ui € {0, 1} uni- 
formly at random. Then, for alii € {0, . . . , n — 1}, it computes the values 
f(wi), P(wi) and yi as in l(ZJj- If Wj G 5, it replaces /(wj) with /(w) and 
Hi with 6. Then, it computes ej and £j as in |(7j2j and Q7.3) . If b is a uniform 
bit, then this process gives random variables (Ej , Lj ) distributed accord- 
ing to Pe +1 l otherwise it gives random variables distributed accord- 
ing to P EjL } ■ 'Therefore, A' distinguishes (f{W),P(W)) from (f(W), U) 
with advantage 7*/ (2n) for infinitely many k, if W is chosen uniformly 
at random from S. From Lemma [7.11 follows that there exists a polyno- 
mial time algorithm that predicts P(W) from f(W), where W is chosen 
uniformly at random from S, with probability at least 1/2 + 7*/(2n) for 
infinitely many k. We can now apply Lemma 17.31 for 7 := 7*/n and 
5 := 1 — /3 to obtain the statement. □ 



7.3 Definition of Computational WOT 

In order to define security in the computational setting, i.e., where the 
running time of the adversary is bounded by a polynomial, we need to 
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introduce a security parameter fc on which the players agree beforehand. 
We consider the uniform model, that is, we require the same protocols to 
run on all security parameters, which they get as a separate input. Ad- 
ditionally, we require the security parameter to be larger than the sum 
of the length of all the inputs and outputs of the protocol. The security 
in the computational semi-honest model is very similar to the (information- 
theoretic) semi-honest model (Definition 13.3b . The only differences are 
that we require the distinguishers to be efficient, i.e., to run in time poly (fc), 
and we require the advantage of these distinguishers to be negligible in 
fc. Furthermore, we require that the simulator is efficient, i.e., runs in time 
poly(fc). 

We say that X{k) and Y{k) are computationally indistinguishable, denoted 

by X = Y, if Adv I3 (A", Y) < negl(fc), where V is the set of all distinguish- 
ers that run in time poly(fc). 

Definition 7.1. A protocol P(F) = (Pa||Pb)(F) securely implements G in 
the computational semi-honest model, if 



(Correctness) P(F@) = G0 . 

(Security for A) There exists a system Sb (called the simulator for B), 
that runs in time poly(fc) and only modifies the auxiliary interfaces, 
such that 

(P A ||P B )(F {g} ) = S B (G { g } ). 

(Security for B) There exists a system Sa (called the simulator for A), 
that runs in time poly(fc) and only modifies the auxiliary interfaces, 
such that 

(EaI|Pb)(F { £ } ) = S A (G { £ } ) . 



The primitive (p, q, e)-compWOT denotes the computational version of 
(p, q, e)-WOT. The difference to the definition of WOT is that we require 
the algorithm that guesses X i_ c or C to be efficient. 

Definition 7.2 (Computational WOT, semi-honest model). Let functions 

e : N -> [0, 1/2], p : N -> [0, 1], and q : N -> [0, 1] computable in time 
poly (A;) be given. Let F = (F0,Fr A \,Frgi) be a collection of systems in 
the computational semi-honest model. On input fc, F outputs (Xo,X±) 
to A and (C, Y) to B. Let U be the auxiliary output to A by F | ^ > and V 
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be the auxiliary output to B by F/gi- Let E := Xc ® Y. F implements 
(p(k), q(k), £(fc))-compWOT in the computational semi-honest model, if 



• (Efficiency) F can be executed in time poly(fc). 

• (Correctness) Pr[E = 1] < e(k) for all k. 

• (Security for A) All polynomial time algorithms A satisfy 

^[A{V : E) = X 1 _ C ]< 1 -±A 

for all but finitely many k. 

• (Security for B) All polynomial time algorithms A satisfy 

Pv[A(U,E)=C] < 
for all but finitely many k. 



Lemma EH is the computational version of Lemma [6721 
Lemma 7.4. A collection of systems F that securely implements 

(negl(fc), negl(fc), negl(k))-COmpWOT 
also securely implements (J) -ROT 1 in the computational semi-honest model. 



Proof. From the (computational) security conditions for A follows that C 
is (statistically) negl(fc)-close to uniform with respect to (Xq, X\). Other- 
wise, it could easily and efficiently be distinguished from uniform. Sim- 
ilarly, it follows from the security condition for B that X\-c is negl (Al- 
dose to uniform with respect to (C, Xc). From Lemma [6.11 follows that 
(C, Xq, X\) is negl(fc)-close to uniform. Together with the correctness con- 
dition, we get 

F =negl(fc) ROTfl . 



Let F{ B } produce the output distribution Px„x 1 cyv, and let P x XlCY be 
the output distribution of ROT. We define Sb as follows. After receiving 
(c, y) from ROT, it simulates F{b}/ which outputs (c', y', v'), until d = b 
and y' = y. It outputs v'. 
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From the correctness condition follows that (C\Y') is negl(fc)-close to 
uniform, and, therefore, the probability C = c and Y' = y is at least 
1/4 — negl(fc). The expected number of iteration^] is therefore constant 
and the simulator is efficient since the system F is efficient. 

Let us assume that there exists an algorithm A with 

Adv A (XqXx CYV, X Xx CYV) > 7 (ft) , 

for a non-negligible function 7 (ft). There exists a constant c, such that 
j(k) > k~ c for infinitely many k. Let 7* (ft) := k~ c . 7* (ft) is a noticeable 
function with 7* (ft) < j(k) for infinitely many k. 

Since (C, X C ,Y,V) is negl(fc)-close to (C,X-q,Y,V), and X 1 _^ is uni- 
form with respect to (C, X-q, Y, V), we have 

AA^ A {RCX c YV,X 1 ^'CX- a YV') < negl(fc) , 

where R is chosen uniformly at random. It follows that 

Adv 4 (RCXcYV^X^cCXcYV) > 7* (ft) - negl(ft) 

for infinitely many ft, and therefore either 

Pv[A(RCX c YV) = 1] - PrL4(Xi_cCXc?YF) = l] > 7 *(ft) - negl(ft) 

for infinitely many k, or 

PrlAiX^cCXcYV) = 1] - Pr[A(i?CA c ry) = 1] > 7* (ft) - negl(ft) 

for infinitely many ft. Note that (C, V) is a function of and E = Ac © Y. 
In both cases, it follows from Lemma 17.11 that there exists an algorithm 
that can predict Ai_c with probability 1/2 + 7* (ft) — negl(fc) for infinitely 
many ft, which contradicts our assumption that no such algorithm exists. 

The proof for the security of B can be done the same way. □ 

7.4 Computational-WOT Amplification 

In IHol05l , Lemma [731 was used to show that any information- theoretic 
key-agreement protocol can also be used in the computational setting. 

2 If we want the algorithm to be worst-case polynomial, we simply abort after a polyno- 
mial amount of simulations. 
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We will use a very similar proof to show that any protocol that efficiently 
implements ROT out of many instances of WOT in the semi-honest model 
can be used to implement ROT out of many instances of compWOT in the 
computational semi-honest model. 

Theorem 7.2. Let the functions e(k), p(k), q{k) and n(k) computable in time 
poly(fc) be given. Let a protocol P(Comm) achieve (p, q, e)-compWOT. Fur- 
ther, let an efficient protocol Q((p, q, e)-WO'P n \\ Comm) be given which takes 
k as input and securely implements (negl(fc), negl(fc), neg\(k))-WOT in the 
semi-honest model. Then the protocol^ Q(P(Comm)^ n \\Comm) implements 
(negl(fc), negl(fc), negl(fc) )-compWOTin the computational semi-honest model. 

Proof. Let W — (Wa, W b ) be the randomness used in P(Comm) by the 
sender and the receiver, and let Z be the communication. The honest 
protocols Pa and Pb output (Xq, Xi) and (C, Y), respectively while the 
semi-honest protocols P A and P B additionally have the auxiliary outputs 
U = {X , X u Z, Wa) and V = (C, Y, Z, W B ), respectively. Let E := Y ® 
Xq- All these values are functions of W. 

Q A receives (X$,X?) from P(Comm)H" and outputs (X^Xf). Q B re- 
ceives [C n ,Y n ) fromP(Comm)H' 1 and outputs (C*,Y*). LetR = (R A ,R B ) 
be the randomness used in Q by both players, and let Z' be the commu- 
nication sent over Comm in Q. Let E* := Y* ® . The values E* , Xq, 
X{, C*, Y* and Z' are functions of (X$,X?, C n ,Y n ,R). 

First of all, the resulting protocol Q(P(Comm)H n ||Comm) will be correct 
and efficient, as every outcome of P(Comm) satisfies Pr[Y =/= Xc] < £■ 

For the security for A, we define the following functions: let f(W) :— 
{V, E) and P{W) := X^ c . Since X c = E © Y, it is possible to simulate 
the protocol Q using the values (V, E) n , {X\_c) n , ar'd R. Therefore, we 
can define 

Ebrt((V, Ef\ (X^c) n , R) ■= X*_ c , 

and 

Leak((y, E) n , (X 1 _ c ) n , R) ■= (E*,C*,Y*, V n , Z', R B ) . 

Q implements (negl(fe), negl(fc), negl(fc))-WOT. It follows from Lemma [7!2l 
that the functions Ext and Leak satisfy the extraction requirements from 

3 This is an execution of Q, where all calls to WOT are replaced by independent execu- 
tions of P. 
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Theorem l7. 1 I with e{k) = negl(fc). Furthermore, Ext and Leak can be com- 
puted efficiently, since the protocol Q is efficient. From the security con- 
dition of compWOT follows that every polynomial-time algorithm B sat- 
isfies 

Pr[B(/(W0) = P(W)] = Pv[B(V,E) = X 1 . c ] < 

for all but finitely many k, for W chosen uniformly at random. Theo- 
rem l7.1l tells us that no polynomial time algorithm A, which gets as input 

Leak((V, E) n , (Xi_ G ) n , R) distinguishes Ext((V, E) n , (*i_ c ) n , R) from a 
uniform random bit with advantage negl(fc) +j(k), for any non-negligible 
function j(k). The security for A follows now from Lemma 

For the security for B, we define the following functions: let f(W) := 
(U, E) and P(W) := C. Since X c = E ® Y, it is possible to simulate the 
protocol Q using the values (U, E) n , C n , and R. Therefore, we can define 

Ext((U,E) n ,C n ,R) := C* , 

and 

Leak{{U,E) n ,C n ,R) := (E*, X*, X{, U n , Z' , R A ) . 

Q implements (negl(fc), negl(fc), negl(fc))-WOT. It follows from Lemma 
that the functions Ext and Leak satisfy the extraction requirements from 
Theorem l7.1l with e(k) = negl(fc). Furthermore, Ext and Leak can be com- 
puted efficiently, since the protocol Q is efficient. From the security con- 
dition of compWOT follows that every polynomial time algorithm A sat- 
isfies 

Pr[A(f(W)) = P(W)] = Pv[A(U,E) = C\ < l±g® 

for all but finitely many k, for W chosen uniformly at random. The- 
orem 17.11 tells us that no polynomial time algorithm B, which gets as 
input Leak((J7, E) n , C n ,R) distinguishes Ext((C/, E) n ,C n , R) from a uni- 
form random bit with advantage negl(fc) + j(k), for any non-negligible 
function j(k). The security for B follows now from Lemma [7!2l □ 



Together with the information-theoretic reductions presented in Chapters 
H]and|6l we get a protocol that securely amplifies (p, q, e)-compWOT to 
(2) -OT 1 in the computational semi-honest model. 
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Corollary 7.1. Let the functions e(k), p{k), and q(k), computable in time 
poly (fc), be given, where either for all k 

e = A p + q < 1 - 1/ poly(fc) , 

p + q + 2e < 0.24 , 

or 

min(p + 22q + 44s, 22p+q + 44s, 7y/p + q + 2e) < 1 - 1/ poly(fc) , 
or, for constant functions p(k), q(k) and e(k), 

p = A y/q + 2e<l, 
q = 0A^p + 2s<l, 

or 

(1 - p - q) 4 < -178 • log(l - 2e) . 

If there exists a protocol P(Comm) that securely implements (p, q, e)-compWOT 
in the computational semi-honest model, then there exists a protocol Q(Comm) 
that implements Q) -OT 1 in the computational semi-honest model. 

7.5 Discussion and Open Problems 

We have shown that Holenstein's hard-core lemma HHol05[ |Hol06] can 
also be applied in the setting of two-party computation, and presented a 
new computational assumption, namely computational weak oblivious trans- 
fer, under which oblivious transfer and hence any two-party computation 
is possible in a computationally secure way 

The pseudo-randomness extraction theorem presented in [Hol06 | turned out 
not to be general enough for our application. It would be interesting to 
know whether our generalization is also useful in other applications. 

A very interesting open problem is whether our results can be used to 
improve the results from [Hai04J, i.e., whether it is possible to implement 
computationally-secure OT from weaker requirements on trapdoor per- 
mutations. 
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A.l Formal Technicalities 

Lemma A.l (Chernoff /Hoeffding Bound |Che52HHoe63|). Let P Xo ...x„ = 
P£ be a product distribution with Xi e [0,1]. Let X :— — ^22=o^i, an ^ 
\i = E[X]. Then, for any e > 0, 

Pr [X > n + e] < e~ 2n£2 , 
Pr [X < fi - e] < e- 2ne2 . 

Lemma A.2 (Cauchy-Schwartz). For all xq, . . . , x n -i,yo, . . . , y n -i & we 
have 

(n-l \ 2 /n-l \ /n-l \ 
EH * E** • E»? 
i=0 / \i=0 / \i=0 

Lemma A.3. For all ao, . . . , a n _i s R, roe foaae 



2 



n-l 

2 



E a M <"-E a 

\i=0 / i=0 

Proof. The statement follows from Lemma lA.2l choosing x, := landy.; := 
a ?; . □ 



111 



112 



Appendix A. Appendix 



Lemma A.4. For all x £ M, we have ln(x + 1) < x < e 



x-1 



Proof sketch. The function ln(.x + 1) is convex, and goes through the point 
(0, 0) with slope I, and the function e x ^ 1 is concave, and goes through the 
point (1, 1) with slope 1. Hence, we have ln(x + 1) < x < e x_1 . □ 



Lemma A.5. For < x < 1, we have 1 - y/1 — x < x. 



Proof. From (1 — x) 2 < 1 — x follows that 1 — x < \f\ — x, and hence 

1 - yj\-x <x. □ 

Lemma A.6. For all i,t/el, we have 



x + y 




x + y 






+ 


V 2 


= \x 


X 2 







Proof. If x > y, we have 



x + y 



+ 



x + y 



x+y x+y 
x z 1 ~ y = x-y = \x-y\. 



The same holds for y > x. 



□ 



Lemma A.7. Let X and X\ be two independent binary random variables with 
Pr[X = 1] < (1 - a Q )/2 and Pr[X x = 1] < (1 - a{)/2, where a ,ai > 0. 
Then Pr[X ®Ii = l]<(l- a ai)/2. 

Proof. For Pr[X = 1] = (1 - a' )/2 and Pr[Xi = 1] = (1 - a[)/2, we have 

Pr[X — ^ — + — — g ' 

The lemma follows from the fact that 

1 — ct' a'i 1 — ciQOti 



for all a' £ [a 0l 1] and a[ £ [a.\, 1]. 



□ 



Lemma A.8. For i £ {0, ... ,n — 1}, Zef Xi be independent binary random 
variables where Pr[JQ = 1] < a, /or a < 1/2. T/zen 



1 — ( 1 — 2a)" 
Pr[X © • • • © X n _i = 1] < i— i- < na . 
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Proof. The first inequality follows by induction from Lemma [A.7I and the 
second by the union bound, since 



Pr[X 



X n -i = 1] < Pr[3i : X. t = 1] < na 



□ 



Lemma A.9. For i e {0, . . . , n — 1}, let € {0, 1} be independently dis- 
tributed with Pr[Xi = 1] < a. We have 

Pr[X = 1 V • • • V X„_i = 1] < 1 - (1 - a) n < na. 



Proof. Follows directly from the union bound. 



□ 



Lemma A.10. For i e {0, . . . , n — 1}, let Xi 6 {0, 1} be independently dis- 
tributed with Pv[Xi = 1] < a. We have 



Pr 



X * ^ n / 2 



i=0 



< 



(^ja l (l~a) n - 1 < e -2«d/2-«) 2 



i=fn/21 

Proof. We apply Lemma[AJ]for /i := a and £ := 1/2 — a. 



□ 



